AVI Audio Video Interleaved File Signature Format Specification & Recovery Example

Audio Video Interleaved (AVI) Signature Format & AVI Recovery Example

Audio Video Interleaved (AVI) is a multimedia container format introduced by Microsoft as part of its Video for Windows software. AVI files can contain both audio and video data in a file container that allows synchronous audio-with-video playback. AVI is a derivative of the Resource Interchange File Format (RIFF), which divides a file's data into "chunks". Each "chunk" is identified by a tag. An AVI file takes the form of a single chunk in a RIFF formatted file, which is then subdivided into two mandatory "chunks" and one optional "chunk". The first sub-chunk is identified by the "hdrl" tag. This sub-chunk is the file header and contains metadata about the video, such as its width, height and frame rate. The second sub-chunk is identified by the "movi" tag. This chunk contains the actual audio/visual data that make up the AVI movie. The third optional ORANGE sub-chunk is identified by the "idx1" tag which indexes the offsets of the data chunks within the file.

Any RIFF container, including AVI audio-video information must have a signature (tag) RIFF (hex: 52 49 46 46) at the beginning of the file.

RIFF files are organized into data segments (chunks). Each segment is prefixed with an 12 byte header: 4 byte signature (RIFF), 4 byte data size (little-endian order, low byte first) and 4 byte RIFF Type: signature AVI[space]. Chunk size is data size plus 8 bytes. Summarizing size for all found chunks, we calculate total file size.

Let's examine the sample

When inspecting a sample.avi file's data using any Hex Viewer, like Active@ Disk Editor, which is included in Active@ File Recovery package, we can see it starts with a signature RIFF (hex: 52, 49, 46, 46). At offset 8 there is a signature of Audio Video Interleave RIFF Type AVI[space] (hex: 41, 56, 49, 20). At offset 4 there is a data size: 31,442 (hex: D2, 7A, 00, 00) in little-endian order (low byte first). Adding header length to the data size, we calculate a total AVI file size: 31,442 + 8 = 31,450 bytes. Actual file size is 31,744 bytes, however starting from offset 31,450 in file there are just zeros, which means that file size just increased to be aligned at border of 1kb (multiple of 1,024 bytes).

AVI file - signature inspection

More info:

RIFF Files Header:

struct RIFF_Header
	uint32   SignatureRIFF;		// Signature: "RIFF"
	uint32   SizeRIFF;		// 4 byte file size, little-endian order
	uint32   SignatureTYPE;		// RIFF Subtype: "AVI ", "CDXA", "WAVE", "CDR*", ...

Audio Video Interleave File Format

Active@ File Recovery Custom Scripting Example

This example just determins avi start signature and calculates file size based on the size specified in RIFF header. Some additional validation included.
Syntax of the signature definition language you can read here.



		size = read(dword, 4)
		size = sum(size, 8)
		temp = read(dword, size)
		if (temp != "JUNK") goto label
		size = sum(size, 4)
		temp = read(dword, size)
		size = sum(size, 4)
		size = sum(size, temp)
		goto next
		temp = and(temp, 00FFFFFFh)
		if (temp != "TAG") goto exit
		size = sum(size, 128)
		goto next