Although this post was initially conceived to give a small update on the intricacies of Samsung .sec files, it also now highlights the changes and benefits of using software built for the job!
I first wrote about this format here:
and then looked at a new version here:
Over the past few years I have received a number of Samsung .sec files from various DVR’s and in most cases there have been some challenges to correct data analysis.
The problems have ranged from old audio codecs being used that are no longer supported, to being unable to pull the H264 stream out of the .sec container. It’s this last one I’m going to look at here.
Now, the reason why I have decided to post this is because over the past few months I have seen a slow rise in the amount of standard streams being stuck inside proprietary containers, and attempts to rip them out and rewrap are failing using the usual methods… yes, with our old friend FFmpeg!
This .sec file is such a good example of the problem…
As stated in the original posts, tucked away inside these .sec files is a raw H264 stream crying to get out. However, there is some proprietary data at the start of the file that causes a few glitches if you simply attempt a rewrap in FFmpeg. Actually, it’s one big glitch – It doesn’t work!
It’s this bit of highlighted data, just prior to the first Mpeg header. I can cut this 61 bytes to create a new file, or I can simply skip 61 bytes in FFmpeg prior to it starting to decode the file.
Now, after rewrapping – my .mp4 file decodes…. here it is in Photoshop!
(Camera view pixelated)
This is all great, but it takes time, and sometimes a few attempts to get it right. With more and more files presenting these sort of challenges, it’s a headache you and I could do without.
….You may have noticed that over the past year, my posts on pulling files apart to get to the raw data have decreased. Well there is a good reason for that – I often now don’t have to spend time figuring this shit out!!!!
Take a look at this article I wrote for eForensics magazine in 2014. I mentioned the software used in relation to the article, but there would have been a few other applications as well during the actual investigation.
So, how do I avoid having to figure out how to get a file playing, and then analyze it without the need to dive into my software suite every five minutes?
Above is the .sec file loaded into Amped FIVE. It has opened immediately with the DirectShow Video Engine as the software has detected two things:
- I have a file with H264 in it
- I have a H264 decoder within my PC
Scrubbing and analysis was tricky so I hit ‘Convert DVR’ and the rewrap is completed for me. From that point, I can get on with my work.
I still relish the challenges faced when analyzing proprietary video. As an analyst I still need those skills, and the knowledge of all the little software packages that have saved my skin over the years, but the time and effort saved by using software built for the job is incalculable.