Update to Samsung .sec files

Although this post was initially conceived to give a small update on the intricacies of Samsung .sec files, it also now highlights the changes and benefits of using software built for the job!

I first wrote about this format here:

https://spreadys.wordpress.com/2013/07/19/samsung-and-sec-files/

and then looked at a new version here:

https://spreadys.wordpress.com/2014/07/21/ifsec-samsung-exports/

Over the past few years I have received a number of Samsung .sec files from various DVR’s and in most cases there have been some challenges to correct data analysis.

The problems have ranged from old audio codecs being used that are no longer supported, to being unable to pull the H264 stream out of the .sec container. It’s this last one I’m going to look at here.

Now, the reason why I have decided to post this is because over the past few months I have seen a slow rise in the amount of standard streams being stuck inside proprietary containers, and attempts to rip them out and rewrap are failing using the usual methods… yes, with our old friend FFmpeg!

This .sec file is such a good example of the problem…

As stated in the original posts, tucked away inside these .sec files is a raw H264 stream crying to get out. However, there is some proprietary data at the start of the file that causes a few glitches if you simply attempt a rewrap in FFmpeg. Actually, it’s one big glitch – It doesn’t work!

Image 001

It’s this bit of highlighted data, just prior to the first Mpeg header. I can cut this 61 bytes to create a new file, or I can simply skip 61 bytes in FFmpeg prior to it starting to decode the file.

Now, after rewrapping – my .mp4 file decodes…. here it is in Photoshop!

(Camera view pixelated)Image 002

This is all great, but it takes time, and sometimes a few attempts to get it right. With more and more files presenting these sort of challenges, it’s a headache you and I could do without.

….You may have noticed that over the past year, my posts on pulling files apart to get to the raw data have decreased. Well there is a good reason for that – I often now don’t have to spend time figuring this shit out!!!!

Take a look at this article I wrote for eForensics magazine in 2014. I mentioned the software used in relation to the article, but there would have been a few other applications as well during the actual investigation.

Image 14

So, how do I avoid having to figure out how to get a file playing, and then analyze it without the need to dive into my software suite every five minutes?

Image 003

Above is the .sec file loaded into Amped FIVE. It has opened immediately with the DirectShow Video Engine as the software has detected two things:

  1. I have a file with H264 in it
  2. I have a H264 decoder within my PC

Scrubbing and analysis was tricky so I hit ‘Convert DVR’ and the rewrap is completed for me. From that point, I can get on with my work.

I still relish the challenges faced when analyzing proprietary video. As an analyst I still need those skills, and the knowledge of all the little software packages that have saved my skin over the years, but the time and effort saved by using software built for the job is incalculable.

Advertisements

3 comments on “Update to Samsung .sec files

  1. Now that’s very interesting being able to detect/notice the “offset” in the bit stream where the actual raw data resides. This may sound naive, but how are able to know where the raw h.264 starts? How do you know that’s the header? And how do you figure the 61 byte offset. To me it seems like magic (I’ve had to so some file system editing to recover a screwed up Bootcamp partition on a Mac).

    • Usually its the first 000001, and is then usually followed by 67. FFmpeg will often automatically skip certain unknown data at the start of the file but in this circumstance it gets in the way when stream copying. It can transcode though…. but we always need to attempt stream copy first as that doesn’t change anything.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s