[z92]

Here's the summary on how he did it :

- Search and list all FLV files on the disk.

- Search for all FLV file signatures on raw disk.

- For each known file on the disk, compute md5 of the first 512 bytes.

- For each FLV file signature found on raw disk exclude those that match any of the known files using those md5 values.

- That leads to only 5 files remaining.

- The original file was known to be 1.6 GB. Read 1.8 GB serially from raw disk starting from file signature and save those.

- One of these is your file.

That will work if your file isn't fragmented on the disk, I guess.

[AnIdiotOnTheNet]

If anyone would like to read more, this technique is called "file carving".

> That will work if your file isn't fragmented on the disk, I guess.

Even 15 years ago when I was doing digital forensics it was actually pretty uncommon to have to deal with fragmentation. After about 2000 filesystem allocation implementations started avoiding it like the plague.

[tjoff]

It is hard to avoid it when streaming a video of unknown length to disk though.

And as soon as you start to fill up your volume fragmentation will spread quickly.