PROJECT INFORMATION
Project Title: GoPro Deleted Video Recovery Utility
Project Start Date: 2016/02
Project Completion Date: 2016/06
Field of Science or Technology: Software Engineering and Technology
Purpose of work
To achieve technological advancement for the purpose of creating new or improving existing materials, devices, products or processes.
Experimental Development:
Overcoming Uncertainties, Work Performed, Achievements, and Outcome
We were required to recover deleted files from a flash storage device used in a GoPro video camera. Similar to most file systems, the metadata and pointers are lost after deletion and due to large sizes of video the files are usually fragmented. Due to the proprietary nature of the video format, we had to reverse engineer the video format and then devise a method of accurately extracting the deleted video file. It was unknown whether it was possible to decipher the video stream headers and content since manufacturers were developing more sophisticated ways of encoding video for enhanced speed, features and compression. We have also found that some video formats that lack obvious stream headers (other than the initial header) – these are likely simpler video formats without the ability to resync if compression fails due to data errors.
We analysed a number of good GoPro files in order to determine whether there were obvious video stream headers or any other overhead that wrapped the various chunks of video data. After analysing the binary data of the files, we were able to identify repetitive headers within the file that had similar structures. We then attempted to break down the structure in to the various components describing the following video stream. We were eventually able to separate one of the most important values in the structures for recovery. Using these values, we were able to deduce fragment sequences by first scanning the file system for any fragments containing a stream header. We then logged this fragment’s location, the position of the first header relative to the beginning of the fragment and also the last header relative to the end. In some cases, it was difficult to determine the actual start and/or end of the fragment so at times we forced to manually determine the starting boundary. After all valid video fragments on the volume were logged, we then attempted to pair up fragments with their following fragments. We did this by first taking a fragment containing the principle header signifying the first fragment of the video file. Then by using the distance between the last header to the end of the fragment and knowing the stream size, we could calculate the size of the remaining part of the stream. We then searched the scan log for a fragment that contained an entry equal to this value. If this value did not occur more than once in the log, it was very likely that it was a match. We iterated through each following fragment using the same procedure until the end of file was reached. This was continued with all other file fragments containing principle headers until all possible files were reconstructed.
We successfully recovered the deleted files and were able to add this format to our list of recoverable deleted video files.
