R-Studio fails to identify some AVI files (merges two files together)

A forum on data recovery using the professional data recovery software R-STUDIO.
abolibibelot
Posts: 38
Joined: Sun Jan 31, 2016 5:45 pm
Location: France

R-Studio fails to identify some AVI files (merges two files together)

Post by abolibibelot » Fri Jun 05, 2020 11:55 pm

In some instances R-Studio fails to identify valid AVI files, instead merging them with the one before. Attached below is a ZIP archive containing two RAR archives[1], each containing a 2.7GB AVI file extracted by R-Studio 8.7 [2] and affected by this issue. Each file contains in fact two valid and complete files. As mentioned in that other thread, those files appeared in the “Extra found files” virtual directory for the second partition of a 500GB HDD, called “Système”, whereas the original files were in fact located on the third partition, called “DATA” ; and so on “DATA” are the 4 actual files corresponding to those 2 composite files as identified by R-Studio in “raw file carving” mode. Using WinHex I compared each file with its counterpart, to check if they were strictly idendical (they were), then initialized (filled with 00) the contents except 64KB from the header and 64KB from the footer.

The files with these headers were identified :

Code: Select all

– beginning of 0537928.avi
52494646C03B5C57415649204C495354
7E2200006864726C6176696838000000
ECA20000000000000000000010010000
50400300000000000200000000000000
D0020000300100000000000000000000
00000000000000004C49535494100000

– beginning of 0537932.avi
524946466ECE8C57415649204C495354
7E2200006864726C6176696838000000
ECA20000000000000000000010010000
A7D50200000000000200000000000000
D0020000800100000000000000000000
00000000000000004C49535494100000
The files with these headers were not :

Code: Select all

– middle of 0537928.avi
5249464636095840415649204C495354
D82200006864726C6176696838000000
C2A20000D58603000000000010090000
D1970100000000000200000000001000
D00200002C0100000000000000000000
00000000000000004C495354DC100000

– middle of 0537932.avi
52494646D23F8240415649204C495354
C22200006864726C6176696838000000
ECA20000FBD902000000000010090000
F7160200000000000200000000001000
80020000620100000000000000000000
00000000000000004C495354DC100000
On file 0537928.avi, the second original AVI file starts at offset 1465663488.
On file 0537932.avi, the second original AVI file starts at offset 1468846080.
For each one of these composite files, there's no slack space between the two valid file that they contain, meaning, file 2 starts right after the end of file 1.

R-Studio -- 2 composite AVI files.zip


[1] It was necessary to shrink the size enough so that it would be accepted ; apparently the limit for RAR files is ~250KB (I couldn't find any accurate information on that matter in the FAQ, which seems to be a generic one for all forums using the same template).

[2] It may have improved in the mean time, but I had enough issues when I updated to 8.10 that I decided to stick with 8.7 until there was significant incentive to update again.
You do not have the required permissions to view the files attached to this post.

abolibibelot
Posts: 38
Joined: Sun Jan 31, 2016 5:45 pm
Location: France

Re: R-Studio fails to identify some AVI files (merges two files together)

Post by abolibibelot » Fri Sep 18, 2020 1:15 am

Checking a few months later... no reply, I can understand, I was reporting an issue rather than asking a question -- but I see that the file I provided wasn't even downloaded once, how come ?! It's quite frustrating to go through such painstaking hassle in the hope that it will contribute to a software's improvement for exactly zero outcome and zero feedback...

abolibibelot
Posts: 38
Joined: Sun Jan 31, 2016 5:45 pm
Location: France

Re: R-Studio fails to identify some AVI files (merges two files together)

Post by abolibibelot » Sun Sep 27, 2020 4:00 pm

For what it's worth, the freeware Recuva, which hasn't been updated since 2016, flawlessly recovers all those AVI files (by raw recovery / signature search).

Another example on a 3TB drive :

Code: Select all

first sector      name R-Studio    size R-Studio     name Recuva    size Recuva
sector 3873416     0000002.avi    728571904 bytes    [000002].avi    728571474
sector 71555808    0000034.avi    733720576 bytes    [000013].avi    733720542
sector 101810408   0000047.avi    732833792 bytes    [000014].avi    732832228
sector 280803328   0000279.avi    651573248 bytes    [000050].avi    651571362
sector 296796816   0000285.avi    729611758 bytes    [000052].avi    729611758
sector 299647504   0000289.avi    733921280 bytes    [000053].avi    733919690
sector 308433904   0000295.avi    734971904 bytes    [000055].avi    734971474
sector 319264048   0000297.avi    663977984 bytes    [000056].avi    663976240
sector 339971728   0000304.avi    731940864 bytes    [000058].avi    731940448
sector 493361720   0000347.avi   1678022656 bytes    [000059].avi    733908938
sector 494795136                                     [000060].avi    944112622
sector 617078000   0000379.avi   1465729848 bytes    [000062].avi    708860650
sector 618462496                                     [000063].avi    756867916
sector 619940760   0000380.avi    733628416 bytes    [000064].avi    733626740
sector 647213016   0000391.avi    734341120 bytes    [000066].avi    734340592
sector 648647280   0000392.avi    693690302 bytes    [000067].avi    693690302
sector 1664170368  0003640.avi    945549312 bytes    [000136].avi    945548436
Again, the 2 files which correspond to 4 merged files (both initialized except 128KB for the header and about 4MB for the footer, compressed as a 4.73MB 7Z archive -- this time I left the index at the end complete so the resulting file would be too big to attach directly on the forum) :
https://www.cjoint.com/c/JIBuJaTcEyA (direct link)

Files with these headers were recognized :

Code: Select all

– 0000347 at offset 0
52494646C28FBE2B415649204C495354
7E2200006864726C6176696838000000
409C0000000000000000000010010000
CC020200000000000200000000000000
00020000800100000000000000000000
00000000000000004C49535494100000

– 0000379 at offset 0
52494646E25A402A415649204C495354
7E2200006864726C6176696838000000
409C0000000000000000000010010000
03130200000000000200000000000000
80010000200100000000000000000000
00000000000000004C49535494100000
Files with these headers were not recognized :

Code: Select all

– 0000347.avi at offset 733908992
52494646E6034638415649204C495354
7E2200006864726C6176696838000000
57820000000000000000000010010000
C0520200000000000200000000000000
D0020000E00100000000000000000000
00000000000000004C49535494100000

– 0000379.avi at offset 708861952
5249464644E31C2D415649204C495354
7E0100006864726C6176696838000000
409C0000000000000000000010090000
17FD0100000000000200000000000000
20020000900100000000000000000000
00000000000000004C495354C0000000
This, despite the fact that there is a size field at offset 4 of the header, so even if file 2 in each group is not recognized there's no reason for file 1 to be identified with a size twice as large as it should be based on the header.
C2 8F BE 2B => 733908930
E2 5A 40 2A => 708860642


EDIT : I made a quick test with R-Studio 8.13.176095 (I had a high CPU usage issue with v. 8.14 on Windows 7 as mentioned here), scanning only the portions of that same HDD where those 4 files are still located, with the exact same result.

Post Reply