I was recently asked to recover audio MP3 from a corrupted memory chip.
The audio was recorded using a special-purpose audio recording machine configured to record in MP3 format in stereo 44.1KHz at 128kbps.
There are several tools and approaches that are sometimes helpful in automated data recovery. I tried Access Data's FTK, Foremost and Lazarus, but none of these worked in this case, so I needed a different approach.
An MP3 file is simply a sequential series of "frames", 417-418 bytes in length, that each have their own header that tells the MP3 player how to play that particular frame. If you carve out any single MP3 frame and save the result with a .mp3 extension, it will be playable all on its own. (Side note: It is the fact that each frame technically stands on its own that allows "variable bitrate" mp3s to exist. Each frame in such an mp3 can have different bitrates as required by the quality demands of that particular piece of audio.)
According to the client, the previous contents of the chip had been deleted prior to beginning the failed recording session. Based on this, and the assumption that the recorder would write mp3 frames to the chip in sequential order starting from a given point, I decided to try to recover the data by extracting every mp3 frame from the media and to stitch them all together in order as found.
In order to test my theories, I obtained a known good MP3 file generated by the device in question. This example file showed that this device produced mp3 content with two types of frames:
- Header hex value "FF FB 92" with a total frame length of 418
- Header hex value "FF FB 90" with a total frame length of 417
So, how to extract all the frames and keep them in sequence? Using good old-fashioned Regular Expressions! This RegEx expression will grab all mp3 frames that meet the criteria above:
\xff\xfb(\x90.{414}|\x92.{415})
However, if you are going to do this, you will need to investigate the exact nature of the mp3 that you are trying to recover. See the MPEG Audio Frame Header Specs for details.
But how was I going to pull out all the frames from my image and get them in the right order? (it turns out there were over 700,000 of them.) I considered several options, including writing a Perl script, but eventually found a hex editor that would solve my problem very elegantly: Hex Editor Neo
My next post will discuss how to use the very cool features in Hex Editor Neo to recover data using a regular expression.
Quinn Shamblin (quinn.shamblin@uc.edu), GCFA Silver #2801, Investigator, University of Cincinnati Information Security
.png "Anastasia Sentsova")
