In this issue, data recovery experts from the Key Laboratory of Sichuan Province explain their research on technologies of cellphone audio file data extraction.
Direct access to cellphone audio files, including calls and other cellphone recordings, and voice messages through apps like WeChat or QQ, might play a decisive role in solving cases during investigation. Yet direct access to these data is rarely possible because of the various file types with complicated storage principles and forensics counter measures that are used by some suspects to destroy evidences, such as deleting data, resetting and formatting cellphones, and damaging cellphone hardware. Currently there is no tool available on the market that is specifically targeting the detection, identification, extraction and recovery of cellphone audio files and the research on relevant technologies bears great importance.
Audio message bars will disappear but contents will still be stored in cellphones
II Technical Solutions
Several data recovery tools that provide audio file recovery services are available on the market and can help to recover files in formats like texts, images, videos and audios. Yet their application is limited and affected by the brand, model, storage principles used, causes of losing of cellphones and successfully recovery of audio files is not guaranteed. Moreover, other problems such as ‘display of QQ or WeChat audio messages not supported’ might also come up during the process, which implies that conventional tools can assist in retrieving audio files to a certain extent but could not work as primary tools.
According to data recovery experts from the Key Laboratory of Sichuan Province, a new technological solution has been found that addresses the problem from the bottom layer of data. This solution can realize high-speed, on-site forensics by effective data searching and SILK audio file decoding displaying (which supports display of QQ and Wechat audio messages) irrespective of cellphone brands, forensics counter measures or audio format.
2.1 Technology difficulties: Calculating audio frame size and identifying valid audios
Analysis of audio frame structure and calculation of audio frame size are the keys to determine the following: whether the audio data is valid (whether it is damaged or overwritten), whether it could be recovered, and whether it is worth the efforts. Different audio formats and frame structures mean different calculation methods for audio frame size, with determining audio type as the prerequisite.
AMR, SILK, MIDI, MP3, AAC, WAV, W4A, WMA and OGG are the commonly-used cellphone audio file formats, among which AMR and SILK are the most often used ones. SILK format files come from the instant messaging software Skype and audio files formulated in chatting apps like QQ and WeChat. AMR format files cover audio files recorded during phone calls and other cellphone recording functions and can be divided into two types, AMR-NB (AMR-NarrowBind) and AMR-WB (AMR-WideBand).
2.1.1 Structure of SILK audio files
Text “#!SILK_V3” that can be found in audio files represents a SILK audio file.
Structure of a SILK audio file with the highlighted part as file header
2.1.2 Structure of AMR audio files
Text “#!AMR” that can be found in audio files represents an ARM audio file.
Structure of an AMR audio file with the highlighted part as file header
Conduct data extraction in accordance with audio frame structures of the upper-mentioned formats and the extracted files can be played through audio players.
2.2 Technology difficulties: Decoding playing of audio messages from QQ and WeChat
With the first technology difficulty solved and detection and identification of valid audio data frames have been successfully done, data extraction and recovery are the next step. The hardest part for audio file data recovery through conventional tools is the proper playing of extracted files.
AMR, SILK, MIDI, MP3, AAC, WAV, W4A, WMA and OGG are the commonly-used cellphone audio file formats, as explained before, and cellphone with different brands, versions and operating systems are saving audio files in different formats. For example, WeChat and QQ adopted SILK format to save audio files at a certain point of their development. Audio files in other formats can be played by any third-party tool, Core Player, QQ Music, Baidu Music, Kuwo Music for example, but SILK files need to be decoded before being played.
On the basis of SDK provided by Skype Official, the technical solution to this problem is a SILK encoding and decoding algorithm that can decode SILK audio files into files in WAV or AMR formats. Those decoded files can be played through Windows Media Player on a phone or a computer, which means investigators can extract and play deleted QQ or WeChat audio messages on-site and enhance the efficiency of evidence collection.
Compared with conventional data recovery methods, the technical solution presented in this issue has the following advantages: locate audio files in cellphones quickly and accurately; determine the format of audio files; decode audio file structure based on its format; and transcode the file into formats that can be played on a phone or computer. These advantages can help forensics gain access to audio electronic evidences with higher efficiency.
Data recovery experts from the Key Laboratory of Sichuan Province have already developed an algorithm (audio_dec_krnl) to solve the problem that technicians are most concerned about: how to detect and identify the integrity of audio files. This algorithm can identify valid audio files from the rest and determine whether a recovered audio file from image documents can be played properly.
XLY Salvationdata Technology INC. is China’s leading integrated solutions provider of digital forensics, data recovery, data security and E-discovery. As a pioneer of the industry, SalvationDATA is always committed to providing innovation platform with proprietary technologies for Law Enforcement Agencies, Government, Military Intelligence Agencies, Digital Forensics Laboratories and Corporations, etc. SalvationDATA’s professional engineers and forensic experts are dedicated to providing outstanding service to more than 9,000 customers from over 130 countries around the world.
Click HERE to learn more about SPF.