In this article, we will review a special case of video files: files with multiple video streams. What does this mean and why is it important in course of a digital forensic (and, perhaps, incident response) case?
Most of video file formats comprise a container:
"The container file is used to identify and interleave different data types. Simpler container formats can contain different types of audio formats, while more advanced container formats can support multiple audio and video streams, subtitles, chapter-information, and meta-data (tags)—along with the synchronization information needed to play back the various streams together." (from Wikipedia)
In the description above, you can find a notion of a 'stream' which contain homogenous data, for example, an audio stream (chunk of data containing audio only) or a video stream (video data only).
A typical video contains single video stream for visuals and one or multiple audio streams for various sounds. It is quite common to have more than one audio stream: a primary one can be original sound (e.g. English voice acting) while secondary could be translations (e.g. Spanish). However, there are very few cases when multiple video streams are justified (the only one we are aware of are DVRs which record video in different quality as separate streams into the same video file).
In a digital forensic case, multiple video streams in the same video file may mean a situation when a CSAM content is hidden. That's why it is vital to have a quick way to distinguish and analyze such files.
How do non-forensic tools perform?
One of the facets of this issue is that it is very easy to miss video files with multiple video streams. When you look at the file in Windows Explorer, it will show you a thumbnail from the primary (typically, licit) video sequence.
You can try watching all the videos—though this is a very inefficient way to do the investigation nowadays, when a regular user may have terabytes of media files kept locally. However, when you open this kind of videos in a standard player, it will show you the primary video stream and play primary audio stream by default. You will not even be warned that anything else exists inside, no hint, no indication!
Moreover, even many specialized digital forensic tools will not give you this kind of indication. What you can do, is manually go to a corresponding menu and see, if there is any other video stream and switch to it, if any. This will take a lot of time, however, and requires you to be aware of the trick.
Locating files of interest with Belkasoft X
Belkasoft Evidence Center X (or, for short, Belkasoft X) is a new DFIR product by Belkasoft, capable to analyze mobile and computer devices, cloud data and memory dumps. One of the features of the product is search for video files with multiple video streams.
Create or open Belkasoft X case and add a data source. You can add a computer forensic image (such as E01/Ex01, L01/Lx01 and so on), mobile forensic image (such as UFD, GrayKey ZIP and so on) or just a folder from your forensic machine.
Figure 1. Adding an image
On the Select advanced options screen check Video option and start the search.
Figure 2. Video formats selection
The product finds some existing videos and carves some deleted ones. How to quickly distinguish files of interest?
Figure 3. Gallery view of videos found
In the Gallery view, right click and select Add or remove filters. In the Grid view, click on any filter icon. The Add a filter window opens. Inside, expand Video streams criterion and check Show only videos with multiple video streams checkbox.
Figure 4. Video streams filter
You are not going to see too many items typically. In our test case there are just two out of 147 videos:
Figure 5. Videos after filtering
If you switch to Grid view, you will indeed find out that both videos have two video streams.
Figure 6. Two video files shown in Grid view
In Belkasoft, you can play them using built-in Media player, another option would be to open the file in a video player set as default in your system. One of the test videos, being open, appears to be a Belkasoft commercial. Nothing too interesting, unless you are a curious customer (kidding: this particular one is a very nice video of evolution of Belkasoft interfaces, showing how thoughtful the new product usability becomes).
Figure 7. Built-in Media player
However, if you switch to the second video stream (click on yellow triangle and select Video stream 2):
Figure 8. Choosing video stream in Media player
Something completely different is displayed: some penguins, filmed by Belkasoft CEO during his Antarctic trip last year:
Figure 9. Penguins hidden in a second stream
The sound keeps the same, but you can also switch it to the second audio stream to hear wind gusts and penguins screaming.
As you have seen for yourself, the visual part can be completely different between streams and it is not easy to determine without an automation.
Analyzing video streams with Belkasoft X
Now, when you have a number of candidate bad guys among your videos, what you can do to find out if they are illicit? Thanks to the filter, you have a much easier option to watch only videos that matched the filter, but imagine that in your case there are still hundreds of videos of two hour duration each?
Belkasoft can help you further with the analysis.
Keyframe extraction
First, you can extract keyframes for every video of interest. A keyframe is a frame (that is, a still image from video) which significantly differs from a previous keyframe. Extracting keyframe has a huge benefit over extracting frame each second or so: if nothing is changing on the scene, frame would not be extracted for any amount of time. Imagine a CCTV camera in a non-vivid location. It will show all the same picture through the day and using the "extract-each-second" approach, you will get thousands of almost identical images, while keyframe approach will give you a few frames only, when someone enters the scene.
Figure 10. Extract keyframes option in Belkasoft X
For example, for our short test penguins video there are just two keyframes extracted since there were not much action at the time of shooting, however, that's configurable—you can specify in Belkasoft X options how much two frames must differ in order to produce a new keyframe.
Figure 11. Keyframes extracted from each stream
Having keyframes from a video allows you to glance over the video contents without spending hours watching it—and you are not going to miss a bit, since all major changes of scene will result in a separate picture.
In our case, keyframes from the first video stream go first, and there is a hint for you: each frame has a prefix 'stm_00' meaning that it is extracted from the first video stream. After that, keyframes from the second video stream go, and their prefix is 'stm_02' (as you may guess, stream number 1 goes for audio).
Now, you can scroll down keyframe set for each video of interest and glance over secondary keyframes. Are they looking good or not?
Even more: automatic keyframe analysis
Again, there could be too many keyframes from too many videos, keeping manual review still inefficient. If so, you can select videos of interest and in the context menu, select Analyze checked items. Inside this menu, opt for various classifications, such as pornography or face detection. The results will be placed under Overview -> Pictures -> Pornography or Overview -> Pictures -> Faces (there are more classes to look for: Skin, Guns, Texts).
Figure 12. Picture analysis options
This way, you can quickly find illicit videos which someone tried to hide with the secondary video stream trick, and you can do that even without watching a second of video, what will save hours if not days of your time.
Conclusion
Video files may contain a number of streams, but typically have one video stream only. Having multiple video streams in the same file is quite suspicious. In order to quickly locate such files out of thousands of videos, kept on a device, you can use built-in Belkasoft X filter or sort by Video streams column. You can further speed up your work by extracting keyframes with Belkasoft X even for secondary video streams and follow by automatic picture classification for CSAM, skin, faces or guns, built in Belkasoft digital forensics and incident response product.