The curious case of missing ftyp

I got an email from one of my long-time customers a couple of days ago. He complained that ZAR does not recognize certain MOV files as valid.

There is a validation function in ZAR, hidden in a somewhat obscure manner in file selection options. The TL;DR version is that ZAR checks file headers for all files to see if they match file extensions and then allows you to select or deselect files by header status. The criterion itself is pretty straightforward - any MOV (or MP4) file is supposed to start with the 'ftyp' tag; if the tag is in place, the file is considered valid; otherwise, it is not.

This is what a typical MP4 (or MOV) file looks like:

Typical MP4 file header with 'ftyp' tag

Typical MP4 or MOV file header

The atom header occupies eight bytes. The first four bytes hold the atom length, and the next four hold the atom name, typically ASCII (human-readable). The typical file starts with 'ftyp' (hex 66 74 79 70), which you can see underlined in the first line on the screenshot above.

Let's see what's wrong with the sample files. Obviously, both are missing the 'ftyp' tag.

MOV file missing 'ftyp' tag, starts with 'skip' tag instead

MOV file header starting with 'skip' instead of 'ftyp'.

MOV file missing 'ftyp' tag, starts with 'mdat' tag instead

MOV file header starting with 'mdat' instead of 'ftyp'.

The top one starts with 'skip' (which indicates padding, useless data), and the bottom one with 'mdat' (the tag for the actual video/audio frames). What's surprising, both of these files play perfectly, at least with MPC-HC.

What does this show us?

Mostly that the real world does not always follow standards. Standards and specifications are a good starting point when they are available, including for data recovery. However, one should not be surprised to see cases that involve, shall I say, a rather loose interpretation of seemingly applicable standards.

This also shows the importance of watching real-life cases closely. It is not practical to test all digital cameras ever produced. It may quite well be impossible. People tend to hold onto the files produced by the cameras that are extinct now. Recovering these files may turn up some surprises, like in this case.

There are some clues as to where the files come from, the top one with the camera's name and the bottom one mentioning "PANA", most likely for Panasonic. However, I suspect the files come up this way for some kind of bug, not because they were created this way. So, the camera models are most likely irrelevant. I'm ready to stand corrected on this, though. If you happen to own a Kodak EasyShare C360 Zoom, I would very much like to see a sample video. It would be jolly kind of you to send me a note via the support system.

Filed under: File carving.

Created Sunday, February 10, 2019