video patterns

Dear all,

We are working on a case where video files are important. We have a 
system disk drive (Windows) onto which some video files have been 
played. We have the original video files from the judge. We tried to 
search for these files (and big chunks of them) in the unallocated 
space, but to no avail. The disk doesn't contain the video files in 
their entirety and it seems that it has been extensively used. 
Therefore, our hope is that some tiny parts of the files are still kept 
somewhere in end of clusters or unallocated space. The problem is: how 
to find them and how many of them would be enough to conclude that "it 
is likely that the suspect drive contained the file"?

We tried to devise an approach by randomly selecting small strings of 
bytes (10 to 15 bytes) from the original video files and search them 
against the drive. We do found some of the strings and comparing the 
bytes before and after that string on the suspect drive we found up to a 
20 - 25 identical strings of bytes both in the supect drive and the 
original files. We did a search of the same strings against other drives 
(from other cases) containing mpegs and we drew a blank.

If any of you has a better suggestion, we welcome it. Besides, if any of 
you is willing to run a search with these strings on some collection of 
mpeg files of yours, we would be grateful.

Basically, we are facing a Gruyere cheese and we try to determine if 
there is something around the holes :-)

Take care,

David.