Design tradeoffs for developing fragmented video carving tools

When conducting a digital forensic examination, there is sometimes a need to salvage as much playable video as possible from available data sources. Although an ideal outcome might be to have all deleted and partially overwritten file fragments identified, reassembled, and repaired to provide playable videos, there are situations where this is not possible. In addition, there are complexities in real world datasets that can lead to false positives and false negatives. This paper captures practical lessons learned from extensive experiences in this problem space, and describes tradeoffs that developers must consider when creating file carving tools for salvaging and reassembling fragmented AVI, MPEG, and 3GP video files. Recommendations are provided for each tradeoff, concentrating on increasing the amount of playable video fragments that can be salvaged, with the potential for duplicate copies of some fragments being salvaged. Developers need to carefully consider how to handle the tradeoffs described in this paper when developing fragmented video carving tools. In addition, digital investigators need to consider the strengths and limitations of different fragmented video carving methods, and need to select those that are best suited to their given dataset. Another important outcome of this work is that the products of some carving methods may be playable in one video viewer but not others, making it necessary to view carved results using various methods, including storyboarding. This paper also includes discussion of current challenges and potential future work in fragmented file carving, with the aim of advancing research and development of automated methods for reassembling salvaged video fragments.