Karen got a portable video camera (a Creative Vado) for Christmas. We’ve recently started playing with it, recording Ian’s activities for posterity. Last week, Karen and Ian spent a whole day making and decorating cookies. They had a great time, and it was full of some fun “firsts” for Ian. Karen got most of the activities on the camera and is planning on editing them down to a highlights reel for the rest of the family. As they were reviewing the footage (on the camera), Ian got a hold of the camera and started pushing buttons. Play and pause weren’t a problem, but on this particular camera, the trash (delete) button is flush with the edge of the camera and easy to push. Ian pushed the delete button, and Karen, as she saw what was happening, reached to take the camera from him. In the handoff, someone pushed the confirm button, and the video was gone.
Or was it?
Like most digital recorders, the Creative Vado stores its data in flash memory. The Vado’s storage uses a FAT16 filesystem. When something is deleted, the data is not immediately overwritten. The space that the delete data used is simply marked as available. So, if nothing new has been recorded, there is a pretty good chance that the data can be recovered.
After some Internet searching, I found a program called testdisktestdisk. testdisk allowed me to (mostly) recover the deleted video file. That is, I was able to recover a 140MB chunk of data that had the right name. Now I was stuck with a 140MB data file that I knew must have the data in it, but it would not open in any video player. A little more online searching, and I found DivFix++, a tool that can read and fix corrupted AVI files. Unfortunately, it didn’t work. DivFix++ didn’t even recognize the file as an AVI movie.
Nearly ready to give up, I decided to follow one last hunch I had on how to recover the movie and be a hero for the day. I started looking through the recovered file and the other known good AVI files with hexdump, a tool that shows the raw data in a file. I noticed that all of the good AVI files started with the same 16 bytes, so I guessed that AVI files start with some sort of header or index that describes the video data in the file. Using dd and cat, I created a new file that was the 16 byte header + the recovered data file. It didn’t work. However, with this new file, DivFix++ gave me a more helpful error message, leading me to believe that I was on the right track. Not knowing where the headers ended, I took the first 512 bytes of a good AVI file and prepended them to the recovered data. Right off the bat, I was able to watch the first 5 seconds of the 5 minute video. Running the new file through DivFix++ resulted in the missing file. The only side effects are a few slightly corrupted frames at the beginning of the movie. The day was saved, and the memories were preserved.
The other side of the story, and a link to the recovered video, can be found on Karen’s blog.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
The thoughts expressed here are my own and do not necessarily represent those of my employer.