SANS Digital Forensics and Incident Response Blog

Recovery of MP3s using regular expressions

by Quinn Shamblin

I was recently asked to recover audio MP3 from a corrupted memory chip.

The audio was recorded using a special-purpose audio recording machine configured to record in MP3 format in stereo 44.1KHz at 128kbps.

audio_editorThere are several tools and approaches that are sometimes helpful in automated data recovery. I tried Access Data's FTK, Foremost and Lazarus, but none of these worked in this case, so I needed a different approach.

An MP3 file is simply a sequential series of "frames", 417-418 bytes in length, that each have their own header that tells the MP3 player how to play that particular frame. If you carve out any single MP3 frame and save the result with a .mp3 extension, it will be playable all on its own. (Side note: It is the fact that each frame technically stands on its own that allows "variable bitrate" mp3s to exist. Each frame in such an mp3 can have different bitrates as required by the quality demands of that particular piece of audio.)

According to the client, the previous contents of the chip had been deleted prior to beginning the failed recording session. Based on this, and the assumption that the recorder would write mp3 frames to the chip in sequential order starting from a given point, I decided to try to recover the data by extracting every mp3 frame from the media and to stitch them all together in order as found.

In order to test my theories, I obtained a known good MP3 file generated by the device in question. This example file showed that this device produced mp3 content with two types of frames:

  1. Header hex value "FF FB 92" with a total frame length of 418
  2. Header hex value "FF FB 90" with a total frame length of 417

So, how to extract all the frames and keep them in sequence? Using good old-fashioned Regular Expressions! This RegEx expression will grab all mp3 frames that meet the criteria above:

\xff\xfb(\x90.{414}|\x92.{415})

However, if you are going to do this, you will need to investigate the exact nature of the mp3 that you are trying to recover. See the MPEG Audio Frame Header Specs for details.

But how was I going to pull out all the frames from my image and get them in the right order? (it turns out there were over 700,000 of them.) I considered several options, including writing a Perl script, but eventually found a hex editor that would solve my problem very elegantly: Hex Editor Neo

My next post will discuss how to use the very cool features in Hex Editor Neo to recover data using a regular expression.

Quinn Shamblin (quinn.shamblin@uc.edu), GCFA Silver #2801, Investigator, University of Cincinnati Information Security

5 Comments

Posted April 8, 2009 at 4:05 PM | Permalink | Reply

johnmccash

Could you do the same thing with deleted movies in various formats? For that matter, would it be possible to automatically extract all of the recoverable frames from an image, and then just pull out a still from the beginning of each one? How necessary is it to know the exact nature of the multimedia file you're trying to recover information from?

Posted April 15, 2009 at 2:02 AM | Permalink | Reply

drpaha

You could try Defraser (http://sourceforge.net/projects/defraser). This is what they say about it:
Defraser is a forensic analysis application that can be used to detect full and partial multimedia files in datastreams. It is typically used to find (and restore) complete or partial audio/video files in datastreams (for instance, unallocated diskspace)

Posted April 15, 2009 at 4:52 PM | Permalink | Reply

qshamblin

cool. I'll have to check that one out.

Posted April 15, 2009 at 4:57 PM | Permalink | Reply

qshamblin

To respond to the question of how much you need to know about the media file you are looking for: If you are going to use a regular expression approach, you need to know quite a bit about it. Looking up the header record format details, forming your regex and testing it.
However, as is pointed out above, there are also other techniques the may work more automatically in some cases.

Posted April 17, 2009 at 8:10 AM | Permalink | Reply

johnmccash

I tried out defraser. It's interesting, & definitely goes in the toolbox. There are lots of what appear to be false positives though, or if they're not, I can't play them correctly. Many just show a blank screen of various sizes, & some seem to change the screen size frequently. The application seems to restore audio files too. Is anybody really familiar with this application? There seem to be some other capabilities built into it, but it's not well documented, and so apart from exporting multimedia fragments as playable files, I'm not sure what you can do with it.