Audio Video Interleaved (AVI) is a multimedia container format introduced by Microsoft as part of its Video for Windows software.
AVI files can contain both audio and video data in a file container that allows synchronous audio-with-video playback. AVI is a derivative of the Resource Interchange File Format (RIFF), which divides a file's data into "chunks". Each "chunk" is identified by a tag. An AVI file takes the form of a single chunk in a RIFF formatted file, which is then subdivided into two mandatory "chunks" and one optional "chunk". The first sub-chunk is identified by the "hdrl" tag.
This sub-chunk is the file header and contains metadata about the video, such as its width, height and frame rate. The second sub-chunk is identified by the "movi" tag. This chunk contains the actual audio/visual data that make up the AVI movie.
The third optional ORANGE sub-chunk is identified by the "idx1" tag which indexes the offsets of the data chunks within the file.
Any RIFF container, including AVI audio-video information must have a signature (tag) RIFF (hex: 52 49 46 46) at the beginning of the file.
RIFF files are organized into data segments (chunks). Each segment is prefixed with an 12 byte header: 4 byte signature (RIFF), 4 byte data size (little-endian order, low byte first) and 4 byte RIFF Type: signature AVI[space]. Chunk size is data size plus 8 bytes. Summarizing size for all found chunks, we calculate total file size.
Let's examine the sample
When inspecting a sample.avi file's data using any Hex Viewer, like Active@ Disk Editor, which is included in Active@ File Recovery package, we can see it starts with a signature RIFF (hex: 52, 49, 46, 46). At offset 8 there is a signature of Audio Video Interleave RIFF Type AVI[space] (hex: 41, 56, 49, 20).
At offset 4 there is a data size: 31,442 (hex: D2, 7A, 00, 00) in little-endian order (low byte first). Adding header length to the data size, we calculate a total AVI file size: 31,442 + 8 = 31,450 bytes. Actual file size is 31,744 bytes, however starting from offset 31,450 in file there are just zeros, which means that file size just increased to be aligned at border of 1kb (multiple of 1,024 bytes).
struct RIFF_Header
{
uint32 SignatureRIFF; // Signature: "RIFF"
uint32 SizeRIFF; // 4 byte file size, little-endian order
uint32 SignatureTYPE; // RIFF Subtype: "AVI ", "CDXA", "WAVE", "CDR*", ...
};
Audio Video Interleave File Format
This example just determins avi start signature and calculates file size based on the size specified in RIFF header. Some additional validation included. Syntax of the signature definition language you can read here.
[AVI_HEADER]
DESCRIPTION=AVI Audio Video File
EXTENSION=avi
BEGIN=AVI_BEGIN
SCRIPT=AVI_SCRIPT
[AVI_BEGIN]
RIFF=0|0
AVI=8|8
[AVI_SCRIPT]
size = read(dword, 4)
size = sum(size, 8)
next:
temp = read(dword, size)
if (temp != "JUNK") goto label
size = sum(size, 4)
temp = read(dword, size)
size = sum(size, 4)
size = sum(size, temp)
goto next
label:
temp = and(temp, 00FFFFFFh)
if (temp != "TAG") goto exit
size = sum(size, 128)
goto next
This document is available in PDF format,
which requires Adobe® Acrobat® Reader
(Free download):