Join Us!

Metadata Interrogat...
 
Notifications
Clear all

Metadata Interrogator  

  RSS
MI_creator
(@mi_creator)
New Member

Hello,
First up, I don't want this to sound like an advert as I know how annoying they are - the software is free and I'm actively looking for feedback from other practitioners rather than trying to promote it. I built it as it was something I had a working need for, and I'd like to share it with you all and get your opinions.

I decided that I needed something that would pull out absolutely any and all metadata possible from files, and display it in a useful way. There are lots of options that sort of do the same thing (Jeffery's Exif tool etc.) but I had a few specific requirements (such as completely offline, portable, any file type, GUI interface etc.) which weren't met by others.

I've also tried to build in some counter fraud specific tools such as match and timeline analysis, highlighting important fields (like author names) and similar.

You can get it here if you're interested - www.metadataanalysis.com

As mentioned, I'd love your feedback and suggestions for new features.

Quote
Posted : 22/01/2019 7:27 pm
kastajamah
(@kastajamah)
Member

I used your tool on a known file that I have confirmed the metadata. This was an MOV file. What I noticed missing was information regarding the lat/long, the make and model of the camera, and the recorded date (the date you have listed as the creation date is the encoded date).

I did like how quickly your program produced the data. I also like the export options.

ReplyQuote
Posted : 22/01/2019 8:06 pm
MI_creator
(@mi_creator)
New Member

I used your tool on a known file that I have confirmed the metadata. This was an MOV file. What I noticed missing was information regarding the lat/long, the make and model of the camera, and the recorded date (the date you have listed as the creation date is the encoded date).

I did like how quickly your program produced the data. I also like the export options.

Thanks so much for the feedback - I'll have a look into .MOV files asap

The creation date is a really tricky one - each file type has a few different 'creation date' fields (encoded, created, saved etc.) and it gets messy deciding which one to use as the core one for analysis. The 'creation date' field at the top tries to pick the best one (and is used for the timeline analysis etc.) but it isn't always as expected and I should probably note that up for users somewhere.

ReplyQuote
Posted : 22/01/2019 8:16 pm
MI_creator
(@mi_creator)
New Member

Just a quick one, I've released version 0.5 - this version mostly includes lots of bug fixes and minor improvements to the extraction of metadata.

It also includes a very basic version of full data set analysis. This basically looks over all the files in your table and drags out some interesting information such as authors and risk rating. I'll be improving on this function in later releases, but I believe it's already of some use at the moment.

As always, if there are any features or improvements you'd like to see, let me know as I'd be happy to attempt to implement them.

ReplyQuote
Posted : 08/02/2019 8:00 pm
Mark_Thompson
(@mark_thompson)
New Member

Will this help me with my problem through the below link to help me to verify that it's not been edited? I'm at my wits end cry

https://www.forensicfocus.com/Forums/viewtopic/t=17443/

ReplyQuote
Posted : 09/02/2019 11:13 pm
MI_creator
(@mi_creator)
New Member

Will this help me with my problem through the below link to help me to verify that it's not been edited? I'm at my wits end cry

https://www.forensicfocus.com/Forums/viewtopic/t=17443/

I'm afraid it won't really help you in this case - the software helps to show which device the file came from, but it wouldn't really prove evidence of tampering/not tampering. I hope you manage to sort it out though!

ReplyQuote
Posted : 10/02/2019 3:46 pm
Mark_Thompson
(@mark_thompson)
New Member

Thanks and I've looked at the metadata through the free forensic software, Video Cleaner and it tells me that it originated from the cam but I understand and read somewhere that metadata can be edited. I found it a bit peculiar that it doesn't show that it's been date and time-stamped even though it clearly shows the time and date at the bottom righthand corner in the video. Unless I've got it wrong I think what goes in my favour is the video is over an hour long with each file being 15mins long except the last one and he's on one of the 15-min files doing his act. Each 15-min file being exactly 10800000 samples in length helps?

ReplyQuote
Posted : 10/02/2019 7:38 pm
MI_creator
(@mi_creator)
New Member

Thanks and I've looked at the metadata through the free forensic software, Video Cleaner and it tells me that it originated from the cam but I understand and read somewhere that metadata can be edited. I found it a bit peculiar that it doesn't show that it's been date and time-stamped even though it clearly shows the time and date at the bottom righthand corner in the video. Unless I've got it wrong I think what goes in my favour is the video is over an hour long with each file being 15mins long except the last one and he's on one of the 15-min files doing his act. Each 15-min file being exactly 10800000 samples in length helps?

You're correct that all metadata can be edited. Unfortunately in your case, I don't think there's anything you can do forensically with this - even if you can prove that it's from the same camera, it doesn't help prove your case as the issue is that you can't see that it's him.

ReplyQuote
Posted : 10/02/2019 9:39 pm
Mark_Thompson
(@mark_thompson)
New Member

Thank you very much for your reply, although I can just about get his face by freeze framing it after he put the second bin in then goes off screen to sit down on the other side of the room before returning on screen to proceed with his act. Even though his face can't be seen whilst he's doing his act, I believe it can be put into context that it's him if it can be proven that it's not been edited between those 2 points because he's the only one who uses that room on that shift. The only thing that's left is for me to use the sound of the cam one last time to make sure he's still taking it outside, but if he isn't and he's transferring it instead of directly then I guess that there may be a chance I may be able to get his face if I can devise a way of where to put a cam. Although it wouldn't be showing him doing it directly but using a vessel, I believe it would support the above that it was him because it can be put into context. It would still only be good enough evidence to leave behind if I got another job but failing that I guess the only thing left would be a forensics company to verify that it's not been edited. Thanks for your help.

One last thing is I ran analysis pass through Video Cleaner which processed the file to check that it really is 18000 frames as with the other 15-min files and it's verified them as being 18000 frames so I'm guessing this confirms the metadata hasn't been edited so if it was to be edited it'd only be in the scope of an expert because I'd have to get the other files the same to reflect it

?

ReplyQuote
Posted : 11/02/2019 1:49 am
Mark_Thompson
(@mark_thompson)
New Member

There are 5 files which make up the video and all of them are 15mins long except the last one which is under that so that's just over an hour long. All of the files except the last one again are 18000 frames so even if the metadata can be changed it can be analysed like I did for 18000 frames unlike say the cam it originated from. So if that 15min file was edited it'd have to be exactly 18000 frames to reflect the other ones and the only question that remains to be asked is if there's any video editing software that'd enable me to achieve that? I'm not aware that there is so it goes in my favour if there isn't. I'll have to try to find out.

ReplyQuote
Posted : 17/02/2019 12:24 am
sovietpecker
(@sovietpecker)
Junior Member

Hello,
First up, I don't want this to sound like an advert as I know how annoying they are - the software is free and I'm actively looking for feedback from other practitioners rather than trying to promote it. I built it as it was something I had a working need for, and I'd like to share it with you all and get your opinions.

I decided that I needed something that would pull out absolutely any and all metadata possible from files, and display it in a useful way. There are lots of options that sort of do the same thing (Jeffery's Exif tool etc.) but I had a few specific requirements (such as completely offline, portable, any file type, GUI interface etc.) which weren't met by others.

I've also tried to build in some counter fraud specific tools such as match and timeline analysis, highlighting important fields (like author names) and similar.

You can get it here if you're interested - www.metadataanalysis.com

As mentioned, I'd love your feedback and suggestions for new features.

Great tool you got here. Gave it a go and found it pretty interesting. Now i am really interested in the online training course you mentioned. Would check out the PDA website. Thanks.

ReplyQuote
Posted : 17/02/2019 4:30 pm
MI_creator
(@mi_creator)
New Member

Great tool you got here. Gave it a go and found it pretty interesting. Now i am really interested in the online training course you mentioned. Would check out the PDA website. Thanks.

Really glad you've found the tool useful - makes it all worth while to hear that people have enjoyed using it.

I've got a new release coming up which I think has some much better features (a much improved timeline, better data set analysis and so on) - I'll post here later once it's all cooked.

ReplyQuote
Posted : 20/02/2019 8:30 am
MI_creator
(@mi_creator)
New Member

Just a quick message to say that I've just released a new version with a much fancier timeline, better data set and match analysis and a lot of performance improvements.

https://www.metadataanalysis.com/2019/02/22/v0-6-released/

ReplyQuote
Posted : 22/02/2019 10:25 pm
Mobo
 Mobo
(@mobo)
New Member

Hi,
That's a great tool you've created there. Thank you.
I've had a play with it from various file types of my own that I know the history of.
On all the (Word) Docs it gives a "Creation Date" and "Created" row.
In all cases the former shows 01.01.1980 0000.00hrs and the latter gives me the times/date I created my document - precisely.
Can you tell me the intended difference between the two?
Thanks again.

ReplyQuote
Posted : 16/12/2019 3:32 pm
MI_creator
(@mi_creator)
New Member

Hi,
That's a great tool you've created there. Thank you.
I've had a play with it from various file types of my own that I know the history of.
On all the (Word) Docs it gives a "Creation Date" and "Created" row.
In all cases the former shows 01.01.1980 0000.00hrs and the latter gives me the times/date I created my document - precisely.
Can you tell me the intended difference between the two?
Thanks again.

Apologies for the delay,
Word metadata is a bit of a pain - it has a few fields which are just 'default' ones. Every Word doc will have 01.01.1980 0000.00hr as the Created date, as it's just saved in the metadata of every file (unless it's been overwritten specifically). I have no idea why, and it annoys me greatly.

Anyway, I've tried to get round this in a few ways - in the latest version (0.8) of Metadata Interrogator you'll see a row that says *Creation Date. This is a calculated date which tries to pick the best 'creation date' for a file. It does this by ignoring any default dates, and picking the earliest date in any of the creation metadata fields. Be warned it's not perfect, so make sure to double check yourself.

Dates and times are unfortunately one of the most difficult and unsure parts of dealing with metadata, which is frustrating as it should be some of the most useful data. Hope that helps!

ReplyQuote
Posted : 21/12/2019 12:48 pm
Share: