The curious case of missing ftyp

I got an email from one of my long-time customers a couple of days ago. He complained that ZAR will not recognize certain MOV files as vaild.

There is a validation function in ZAR, hidden in somewhat obscure manner in file selection options. The TL;DR version is that ZAR checks file headers for all files to see if they match file extensions, and then allows you to select or deselect files by header status. The criterion itself is pretty straightforward - any MOV (or MP4) file is supposed to start with the 'ftyp' tag; if the tag is in place, the file is considered valid, otherwise it is not.

This is what a typical MP4 (or MOV) file looks like:

Typical MP4 file header with 'ftyp' tag

Typical MP4 or MOV file header

Atom header occupies eight bytes. First four bytes hold atom length, and the next four bytes hold atom name, which is typically ASCII (human-readable). Typical file starts with 'ftyp' (hex 66 74 79 70), which you can see underlined in the first line on the screenshot above.

Let's see what's wrong with the sample files. Obviously, both are missing 'ftyp' tag.

MOV file missing 'ftyp' tag, starts with 'skip' tag instead

MOV file header starting with 'skip' instead of 'ftyp'

MOV file missing 'ftyp' tag, starts with 'mdat' tag instead

MOV file header starting with 'mdat' instead of 'ftyp'

Top one starts with 'skip' (which indicates padding, useless data), and the bottom one with 'mdat' (which is the tag for the actual video/audio frames). What's really surprising, both of these files play perfectly, at least with MPC-HC.

What does this show us?

Mostly that real world does not always follow standards. Standards and specifications are a good starting point when they are available, including for data recovery. However, one should not be surprised seeing cases which involve, let's say, pretty loose interpretation of seemingly applicable standards.

This also shows the importance of watching real-life cases closely. It is not really practical to do testing on all digital cameras ever produced. It quite well be impossible, actually. People tend to hold onto the files produced by the cameras which are extinct by now. Recovering these files may turn up some surprises, like in this case.

There are some clues as to where the files come from, the top one having a name of camera in it, and the bottom one mentioning "PANA", most likely for Panasonic. However, I suspect the files come up this way for some kind of a bug, not because they were created this way. So, the camera models are most likely irrelevant. I'm ready to stand corrected on this though. If you happen to own a Kodak EasyShare C360 Zoom, I would very much like to see a sample video. It would be jolly kind of you to send me a note via the support system.

Created Sunday, February 10, 2019