MP4 disk layouts
 		Previous Topic  Next Topic 

Home



With a FAT32 disk device, the logical format of a file is lost if the file is deleted.  To recover or reconstruct the file it is useful to know how it was originally organised on the disk.  A video camera has limited memory and so often the logical structure of the video file, and the physical layout on the disk are different.  To make matter worse, there are several ways that cameras solve the problem.  CnW recovery software has tools to help when files have been deleted - simple data carving is often not enough.


An MP4 file basically has three sections



The header is always first, and each of the other sections starts with a length, then data.  There is also a padding atom, called 'free'.  This allows the above sections to be placed on cluster boundaries.


The reason for what looks like the rather odd layouts is the way video is created.  The major part of the file is the video stream, which can be maybe a few GBs long.  A typical approach therefore is to record this directly to the media.  To make the file playable, a header has to be added, and also all the index and meta data (moov) fragment.  Logically these can be written to the disk when the data stream is complete, and by manipulating the file allocation table, the logical sequence can be changed to be different to the physical sequence.  When recovering via data carving, this process has to be reversed, along with checks to ensure that the correct header and moov fragments are added to the selected mdat segment.


The table below describes several variations that have been seen from phones and video cameras.  The cameras listed only represent possible examples and will never be an exhaustive list.  Recovery from these formats should be possible by selected the 'process fragments option' in data carving.  CnW has allocated short cut names for these formats that are displayed as part of the wizard function


Samsung HMX-H300

CnW Name :

Logical structure on disk

FTYP-FREE-MDAT only a single cluster, last 8 bytes are the MDAT length and header

MDAT data - just raw video data, padded at end with a FREE

MOOV starts on a cluster boundary, and is just meta data and index


Physical layout

MDAT data - padded with a FREE

FTYP-FREE-MDAT

MOOV


ie the data has been recorded first, then the FTYP header and MDAT length added.  Final cluster(s) is the moov data


Kodak Zx1 Pocket Video Camera

CnW Name :        

Physical layout on disk

FTYP - FREE

MDAT

MOOV - FREE


Logical structure for reading

FTYP - FREE

MOOV - FREE

MDAT


ie data is initially recorded first, followed with no known length, then by length and MDAT, then MOOV.  Logically, the MOOV is stored between FTYP and MDAT.  The recovery wizard reorders the clusters accordingly


GoPro, GoPro Hero 3+ Black, video camera

CnW Name : FTYP_MOOV_FREE_MDAT

Physical layout on disk

FTYP, MOOV in first cluster

MDAT

MOOV, FREE  after the MDAT atoms

Logical structure

FTYP

MOOV

FREE

MDAT


GoPro Hero-3 Black edition makes recovery hard due to recording low and high resolution at the same time, along with a thumbnail jpeg and information text file - a recovery nightmare!  Files can be fragmented in over 100 fragments.

GoPro Hero 4 Silver

       Physical layout on memory chip

               FTYP,MDAT, - in the first cluster

               MOOV

       Logical structure

               FTYP

               MDAT

               MOOV

As in GoPro Hero-3, the data on the camera memory chip has two video streams multiplexed on cluster boundaries.  The file on the memory chip may be in sequence, but is not sequential.


GoPro  - basic

       Physical layout on memory chip

RVFR  - star of vidoe data

FTYP, MOOV

FREE

MDAT        stored at the end of tye final cluster in the moov atom

Logical structure

       FTYP,MOOV,FREE,MDAT,RVFR



Fuji Film FinePix XP50

Canon EOS 600D, 700D, 80D, 70D and Rebel range

Nikon D5100

CnW Name : MDAT_FTYP_MOOV_FREE

Physical layout on disk

MDAT

FTYP, MOOV in same cluster

rest of MOOV followed by FREE

Logical structure

FTYP
MOOV

FREE

MDAT


Coolpix P330

CnW Name  FTYP_MDAT_MOOV

Physical and logical sequence the same, but can be fragmented


.MOV

CnW Name : M4_MDAT_MOOV

Logical structure

MDAT MOOV

This is rather unconventional as it has no FTYP atom



.MOV file

CnW Name  M4_FTYP_MDAT_MOOV

Logical structure

       FTYP

       MDAT  - at the start of the next cluster

       MOOV - moov may contain padding with free areas

Each atom follows the previous atom with no padding of cluster alignment.  An unfinalised file may be missing the initial ftyp, and all of the moov atom.  To recover the data, the disk must have sample of a working video from the same camera.