A friend of mine sent me an e-mail which contained a file called “Technology.wvx”. The file was 328 bytes in size. Selecting the file, played a video mash-up which was obviously larger than 328 bytes. I also was curious as to what a “.wvx” file was.
Looking at the file showed it to be a XML format file with a reference to separate URL:
MPlayer is a very powerful and robust movie player. Besides supporting a multitude of file formats from MPEG, VOB, AVI, ASF, WMV to list a few, it is often able to play damaged files. Although I primarily use *nix as my operating system, mplayer is available for Windows, Mac, and other operating systems making this process available on those platforms as well. Mplayer source code is also available for those wishing to compile it.
Mplayer has many features which are beyond the scope of this post, but one nice feature is the ability to read in a raw stream and write it to a file. The two parameters we used to tell mplayer to read the stream and write the file to disk were:
- dumpstream: Dump the raw stream, not making any conversions or changes to it. In our case it is the URL from the ‘Technology.wvx’ file above.
- dumpfile: the filename to dump the stream. I chose ‘s.wmv’ for this example.
The full command used was:
mplayer -dumpstream “mms://a215.v47369f.c47369.g.vm.akamaistream.net/7/215/47369/v0001/sonybmgsftp.download.akamai.com/34732/promommxnonflash/GMM_Rome_DidYouKnow_300.wmv -dumpfile s.wmv
Mplayer will output a bunch of messages. This version outputted several error messages during the process, but these did not affect the final video file. The result was a local file called ‘s.wmv’, which when played with a video player nicely played back the sound and audio.
The ability to save streaming media is necessary and has many valid uses. Ability to play when the Internet is not available is one simple example. A better example is investigations. From an investigative point of view you want to be able to save the actual data for evidence purposes. Investigations can take time and often you have no control on the server that streamed the data. The video stream could be removed, the server or URI could suddenly change. By properly documenting your activities, adding in time stamp information, trace files, log captures, appropriate hashes and the procedure used to obtain and verify the video stream, evidence can be provided to interested parties with reasonable assurance that it is accurate.
In the future as content on the Internet goes from a ‘download and play’ scenario to a ‘video streaming on demand’ scenario, the ability to forensically find evidence on a target device will become more difficult, simply from the fact that the data isn’t stored on the device. There may be evidence of it in cache, swap files and the like, but these can be overwritten quickly and software is getting smarter. Most browsers and players have the option to not cache if told to do so. Smart people create a ‘secure cache or swap area’. In this case the caches and swap files are configured to write to encrypted disks or partitions using file formats that do not have ‘journalling’. These are then wiped prior to shutdown. Smarter people boot from a read only USB key, and create a ‘secure cache’. By using the technique above, combined with proper documentation of the process allows reasonable proof that the file you have captured is what the target was viewing.
