In this article, we will review a special case of video files: files with multiple video streams. What does this mean and why is it important in the course of a digital forensic (and, perhaps, incident response) case?
Most of video file formats comprise a container:
"The container file is used to identify and interleave different data types. Simpler container formats can contain different types of audio formats, while more advanced container formats can support multiple audio and video streams, subtitles, chapter information, and meta-data (tags)—along with the synchronization information needed to play back the various streams together." (from Wikipedia)
In the description above, you can find a notion of a 'stream' that contains homogenous data, for example, an audio stream (a chunk of data containing audio only) or a video stream (video data only).
A typical video contains a single video stream for visuals and one or multiple audio streams for various sounds. It is quite common to have more than one audio stream: a primary one can be original sound (e.g. English voice acting) while a secondary one could be translations (e.g. Spanish). However, there are very few cases when multiple video streams are justified (the only ones we are aware of are DVRs which record video in different quality as separate streams into the same video file).
In a digital forensic case, multiple video streams in the same video file may mean a situation when CSAM content is hidden. That's why it is vital to have a quick way to distinguish and analyze such files.
How do non-forensic tools perform?
One of the facets of this issue is that it is very easy to miss video files with multiple video streams. When you look at the file in Windows Explorer, it will show you a thumbnail from the primary (typically, licit) video sequence.
You can try watching all the videos—though this is a very inefficient way to do the investigation nowadays, when a regular user may have terabytes of media files kept locally. However, when you open this kind of video in a standard player, it will show you the primary video stream and play the primary audio stream by default. You will not even be warned that anything else exists inside, no hint, no indication!
Moreover, even many specialized digital forensic tools will not give you this kind of indication. What you can do, is manually go to a corresponding menu and see, if there is any other video stream and switch to it, if any. This will take a lot of time, however, and requires you to be aware of the trick.
Locating files of interest with Belkasoft X
Belkasoft Evidence Center X (or, for short, Belkasoft X) is a new DFIR product by Belkasoft, capable to analyze mobile and computer devices, cloud data and memory dumps. One of the features of the product is search for video files with multiple video streams.
Create or open Belkasoft X case and add a data source. You can add a computer forensic image (such as E01/Ex01, L01/Lx01 and so on), mobile forensic image (such as UFD, GrayKey ZIP and so on) or just a folder from your forensic machine.
Figure 1. Adding an image
On the Select advanced options screen check Video option and start the search.
Figure 2. Video formats selection
The product finds some existing videos and carves some deleted ones. How to quickly distinguish files of interest?
Figure 3. Gallery view of videos found
In the Gallery view, right-click and select Add or remove filters. In the Grid view, click on any filter icon. The Add a filter window opens. Inside, expand the Video streams criterion and check Show only videos with multiple video streams checkbox.
Figure 4. Video streams filter
You are not going to see too many items typically. In our test case there are just two out of 147 videos:
Figure 5. Videos after filtering
If you switch to Grid view, you will indeed find out that both videos have two video streams.
Figure 6. Two video files are shown in the Grid view
In Belkasoft, you can play them using a built-in Media player, another option would be to open the file in a video player set as default in your system. One of the test videos, being open, appears to be a Belkasoft commercial. Nothing too interesting, unless you are a curious customer (kidding: this particular one is a very nice video of the evolution of Belkasoft interfaces, showing how thoughtful the new product usability becomes).
Figure 7. Built-in Media player
However, if you switch to the second video stream (click on the yellow triangle and select Video stream 2):
Figure 8. Choosing a video stream in the Media player
Something completely different is displayed: some penguins, filmed by Belkasoft CEO during his Antarctic trip last year:
Figure 9. Penguins hidden in a second stream
The sound remains the same, but you can also switch it to the second audio stream to hear wind gusts and penguins screaming.
As you have seen for yourself, the visual part can be completely different between streams and it is not easy to determine without automation.
Analyzing video streams with Belkasoft X
Now, when you have a number of candidate bad guys among your videos, what you can do to find out if they are illicit? Thanks to the filter, you have a much easier option to watch only videos that match the filter, but imagine that in your case there are still hundreds of videos of two-hour duration each?
Belkasoft can help you further with the analysis.
Keyframe extraction
First, you can extract keyframes for every video of interest. A keyframe is a frame (that is, a still image from a video) that significantly differs from a previous keyframe. Extracting keyframes has a huge benefit over extracting a frame each second or so: if nothing changes on the scene, the frame will not be extracted for any amount of time. Imagine a CCTV camera in a non-vivid location. It will show the same picture throughout the day and using the "extract-each-second" approach, you will get thousands of almost identical images, while the keyframe approach will give you a few frames only when someone enters the scene.
Figure 10. Extract keyframes option in Belkasoft X
For example, for our short test penguins video, there are just two keyframes extracted since there was not much action at the time of shooting, however, that's configurable—you can specify in Belkasoft X options how much two frames must differ in order to produce a new keyframe.
Figure 11. Keyframes extracted from each stream
Having keyframes from a video allows you to glance over the video contents without spending hours watching it—and you are not going to miss a bit, since all major changes of scene will result in a separate picture.
In our case, keyframes from the first video stream go first, and there is a hint for you: each frame has the prefix 'stm_00' meaning that it is extracted from the first video stream. After that, keyframes from the second video stream go, and their prefix is 'stm_02' (as you may guess, stream number 1 goes for audio).
Now, you can scroll down the keyframe set for each video of interest and glance over secondary keyframes. Are they looking good or not?
Even more: automatic keyframe analysis
Again, there could be too many keyframes from too many videos, keeping manual review still inefficient. If so, you can select videos of interest and in the context menu, select Analyze checked items. Inside this menu, opt for various classifications, such as pornography or face detection. The results will be placed under Overview -> Pictures -> Pornography or Overview -> Pictures -> Faces (there are more classes to look for: Skin, Guns, Texts).
Figure 12. Picture analysis options
This way, you can quickly find illicit videos that someone tried to hide with the secondary video stream trick, and you can do that even without watching a second of the video, which will save hours if not days of your time.
Conclusion
Video files may contain a number of streams, but typically have one video stream only. Having multiple video streams in the same file is quite suspicious. In order to quickly locate such files out of thousands of videos, kept on a device, you can use a built-in Belkasoft X filter or sort by Video streams column. You can further speed up your work by extracting keyframes with Belkasoft X even for secondary video streams and follow by automatic picture classification for CSAM, skin, faces, or guns, built-in Belkasoft digital forensics and incident response product.