Chip allocation display
The chip allocation display is a forensic options feature to show where videos and sections of videos are stored on the memory chip.
The purpose of this function is to see where each element of the video files are stored. By clicking on the relevant button you can see for instance all 'ftyp' clsuters, 'mdat' clusters and also if a cluster is for low or high resolution video.
Each type of data is selected by a check box, and it displays it's distribution with a different colour as indicated on the check box. Any combination can be selected.
There is also a very useful function for duplicated clusters. A duplicated cluster is one where the CRC-32 value is identical. It is unusal to have more than a few duplicates. Where there can be high values is when the memory chip is a fake. The other time can be when video files have been copied, or written back to the memory chip.
Another very useful value is the 'Used'. This shows how many clusters have been used on files that have verified as OK.
The High and Low resolution markers show where data is, and the basic vidoe atoms, ftyp, moov, and mdat can all be seen
What is this test used for?
The has several good reasons and will help isolate any issues when files cannot be recovered. The duplicate sector will show when the same cluster occurs more than once in tye same area of the disk. This should never happen by default but is very common if files have been copied back to the memory chip.
The 'used' cyan marker shows where data has been found and successfully recovered. If this has many gaps it means that areas of the chip may have been corrupted. Ideally the Used should overlay any low or high resolution area.
Examples if allocation display and their meanings
This shows a partially recovered chip. The area of cyan are the files that have been recovered. The red, blue and brown markers show where other possible files are located. This was viewed near the start of stage 4, so only low resolution files were recovered, hence the gaps
The above image shows the fully recoverd chip. It indicates that much has been recovered, but there are areas of unrecovered high res data. These might be partial files that have had areas overwritten in different sessions
This shows an interesting memory chip. The user, unfortunately copied files from an unsuccessful recovery of non CnW software, back onto the memory chip. This meant that most sectors were overwritten with incorrect files. The black shows duplicate sectors, and the cyan the correctly recovered files, many actually had between 5 and 30 fragments. Not the best starting point, but quite a good result
This image is the same memory chip as above but with the forensic option of processing fragments enabled, the result shows more files being recovered. On going development will try and improve this success ratio.
The purpose of this function is to see where each element of the video files are stored. By clicking on the relevant button you can see for instance all 'ftyp' clsuters, 'mdat' clusters and also if a cluster is for low or high resolution video.
Each type of data is selected by a check box, and it displays it's distribution with a different colour as indicated on the check box. Any combination can be selected.
There is also a very useful function for duplicated clusters. A duplicated cluster is one where the CRC-32 value is identical. It is unusal to have more than a few duplicates. Where there can be high values is when the memory chip is a fake. The other time can be when video files have been copied, or written back to the memory chip.
Another very useful value is the 'Used'. This shows how many clusters have been used on files that have verified as OK.
The High and Low resolution markers show where data is, and the basic vidoe atoms, ftyp, moov, and mdat can all be seen
What is this test used for?
The has several good reasons and will help isolate any issues when files cannot be recovered. The duplicate sector will show when the same cluster occurs more than once in tye same area of the disk. This should never happen by default but is very common if files have been copied back to the memory chip.
The 'used' cyan marker shows where data has been found and successfully recovered. If this has many gaps it means that areas of the chip may have been corrupted. Ideally the Used should overlay any low or high resolution area.
Examples if allocation display and their meanings
This shows a partially recovered chip. The area of cyan are the files that have been recovered. The red, blue and brown markers show where other possible files are located. This was viewed near the start of stage 4, so only low resolution files were recovered, hence the gaps
The above image shows the fully recoverd chip. It indicates that much has been recovered, but there are areas of unrecovered high res data. These might be partial files that have had areas overwritten in different sessions
This shows an interesting memory chip. The user, unfortunately copied files from an unsuccessful recovery of non CnW software, back onto the memory chip. This meant that most sectors were overwritten with incorrect files. The black shows duplicate sectors, and the cyan the correctly recovered files, many actually had between 5 and 30 fragments. Not the best starting point, but quite a good result
This image is the same memory chip as above but with the forensic option of processing fragments enabled, the result shows more files being recovered. On going development will try and improve this success ratio.