Metadata Interrogat...
 
Notifications
Clear all

Metadata Interrogator

15 Posts
5 Users
0 Likes
1,746 Views
(@mi_creator)
Posts: 8
Active Member
Topic starter
 

Hello,
First up, I don't want this to sound like an advert as I know how annoying they are - the software is free and I'm actively looking for feedback from other practitioners rather than trying to promote it. I built it as it was something I had a working need for, and I'd like to share it with you all and get your opinions.

I decided that I needed something that would pull out absolutely any and all metadata possible from files, and display it in a useful way. There are lots of options that sort of do the same thing (Jeffery's Exif tool etc.) but I had a few specific requirements (such as completely offline, portable, any file type, GUI interface etc.) which weren't met by others.

I've also tried to build in some counter fraud specific tools such as match and timeline analysis, highlighting important fields (like author names) and similar.

You can get it here if you're interested - www.metadataanalysis.com

As mentioned, I'd love your feedback and suggestions for new features.

 
Posted : 22/01/2019 7:27 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

I used your tool on a known file that I have confirmed the metadata. This was an MOV file. What I noticed missing was information regarding the lat/long, the make and model of the camera, and the recorded date (the date you have listed as the creation date is the encoded date).

I did like how quickly your program produced the data. I also like the export options.

 
Posted : 22/01/2019 8:06 pm
(@mi_creator)
Posts: 8
Active Member
Topic starter
 

I used your tool on a known file that I have confirmed the metadata. This was an MOV file. What I noticed missing was information regarding the lat/long, the make and model of the camera, and the recorded date (the date you have listed as the creation date is the encoded date).

I did like how quickly your program produced the data. I also like the export options.

Thanks so much for the feedback - I'll have a look into .MOV files asap

The creation date is a really tricky one - each file type has a few different 'creation date' fields (encoded, created, saved etc.) and it gets messy deciding which one to use as the core one for analysis. The 'creation date' field at the top tries to pick the best one (and is used for the timeline analysis etc.) but it isn't always as expected and I should probably note that up for users somewhere.

 
Posted : 22/01/2019 8:16 pm
(@mi_creator)
Posts: 8
Active Member
Topic starter
 

Just a quick one, I've released version 0.5 - this version mostly includes lots of bug fixes and minor improvements to the extraction of metadata.

It also includes a very basic version of full data set analysis. This basically looks over all the files in your table and drags out some interesting information such as authors and risk rating. I'll be improving on this function in later releases, but I believe it's already of some use at the moment.

As always, if there are any features or improvements you'd like to see, let me know as I'd be happy to attempt to implement them.

 
Posted : 08/02/2019 8:00 pm
(@mark_thompson)
Posts: 8
Active Member
 

Will this help me with my problem through the below link to help me to verify that it's not been edited? I'm at my wits end cry

https://www.forensicfocus.com/Forums/viewtopic/t=17443/

 
Posted : 09/02/2019 11:13 pm
(@mi_creator)
Posts: 8
Active Member
Topic starter
 

Will this help me with my problem through the below link to help me to verify that it's not been edited? I'm at my wits end cry

https://www.forensicfocus.com/Forums/viewtopic/t=17443/

I'm afraid it won't really help you in this case - the software helps to show which device the file came from, but it wouldn't really prove evidence of tampering/not tampering. I hope you manage to sort it out though!

 
Posted : 10/02/2019 3:46 pm
(@mark_thompson)
Posts: 8
Active Member
 

Thanks and I've looked at the metadata through the free forensic software, Video Cleaner and it tells me that it originated from the cam but I understand and read somewhere that metadata can be edited. I found it a bit peculiar that it doesn't show that it's been date and time-stamped even though it clearly shows the time and date at the bottom righthand corner in the video. Unless I've got it wrong I think what goes in my favour is the video is over an hour long with each file being 15mins long except the last one and he's on one of the 15-min files doing his act. Each 15-min file being exactly 10800000 samples in length helps?

 
Posted : 10/02/2019 7:38 pm
(@mi_creator)
Posts: 8
Active Member
Topic starter
 

Thanks and I've looked at the metadata through the free forensic software, Video Cleaner and it tells me that it originated from the cam but I understand and read somewhere that metadata can be edited. I found it a bit peculiar that it doesn't show that it's been date and time-stamped even though it clearly shows the time and date at the bottom righthand corner in the video. Unless I've got it wrong I think what goes in my favour is the video is over an hour long with each file being 15mins long except the last one and he's on one of the 15-min files doing his act. Each 15-min file being exactly 10800000 samples in length helps?

You're correct that all metadata can be edited. Unfortunately in your case, I don't think there's anything you can do forensically with this - even if you can prove that it's from the same camera, it doesn't help prove your case as the issue is that you can't see that it's him.

 
Posted : 10/02/2019 9:39 pm
(@mark_thompson)
Posts: 8
Active Member
 

Thank you very much for your reply, although I can just about get his face by freeze framing it after he put the second bin in then goes off screen to sit down on the other side of the room before returning on screen to proceed with his act. Even though his face can't be seen whilst he's doing his act, I believe it can be put into context that it's him if it can be proven that it's not been edited between those 2 points because he's the only one who uses that room on that shift. The only thing that's left is for me to use the sound of the cam one last time to make sure he's still taking it outside, but if he isn't and he's transferring it instead of directly then I guess that there may be a chance I may be able to get his face if I can devise a way of where to put a cam. Although it wouldn't be showing him doing it directly but using a vessel, I believe it would support the above that it was him because it can be put into context. It would still only be good enough evidence to leave behind if I got another job but failing that I guess the only thing left would be a forensics company to verify that it's not been edited. Thanks for your help.

One last thing is I ran analysis pass through Video Cleaner which processed the file to check that it really is 18000 frames as with the other 15-min files and it's verified them as being 18000 frames so I'm guessing this confirms the metadata hasn't been edited so if it was to be edited it'd only be in the scope of an expert because I'd have to get the other files the same to reflect it

?

 
Posted : 11/02/2019 1:49 am
(@mark_thompson)
Posts: 8
Active Member
 

There are 5 files which make up the video and all of them are 15mins long except the last one which is under that so that's just over an hour long. All of the files except the last one again are 18000 frames so even if the metadata can be changed it can be analysed like I did for 18000 frames unlike say the cam it originated from. So if that 15min file was edited it'd have to be exactly 18000 frames to reflect the other ones and the only question that remains to be asked is if there's any video editing software that'd enable me to achieve that? I'm not aware that there is so it goes in my favour if there isn't. I'll have to try to find out.

 
Posted : 17/02/2019 12:24 am
Page 1 / 2
Share: