Does anyone know if a cell phone video marks a video file with a creation date? If so how can one be recovered even after the video was modified and accessed after the creation date? I tried with FTK and Encase and they both only show the last accessed and modified date with no creation date. Is it possible it is in the header and can be found with a Hex editor? If so, what is the offset?
If I recall correctly many mobile phones don't use a created time stamp, the modified is effectively the created date.
Perhaps it may help someone to respond to your question if you are able to confirm
- The make/model of handset?
- Is the video stored in handset memory or on memory card?
A speculative question, but how do you know the video was taken by this particular handset and not transferred to it from another phone?
Typically, I can't lay may hands on the appropriate standard to check, but if you're looking at a file based on the ISO base media file format (mp4/3gp for example) I'm fairly certain that there's can be a "box" embedded in the file for creation time.
It doesn't have to be populated of course, but I'm fairly certain I can remember seeing it previously.
Have you tried running the file through exiftools? http//
even if the tool doesnt get the data you want, the site contains details of most file types and the tags you can expect to find
trewmte - I was only provided the SD card and not the handset. I could get with the Det. to see what the make and model are. Once I find out, what difference will that make? Are there certain make and models that capture that data?
AlexC - "box" I'm not familiar with this can you expand on it?
Adam10541 - I'll look further into your statement.
AlexC - "box" I'm not familiar with this can you expand on it?
The ISO base media file format is built around "boxes" (they used to be referred to as 'Atoms'). The different boxes contain different things (including other boxes). There's a high-level overview of the format in this paper http//
Hi have spent a lot of time recently creating missing moov segments for MP4 files. For this I found an Apple spec "QuickTime File Format Specification" as a PDF file very useful
It does appear that the 'mvhd' atom has a creation time and modified time (in a common apple format of seconds since 1904). The same dates are also in the 'tkhd' atom.
I have no idea how accurate these dates are, and if they get modified when edited. It will be a case or try and see what happens to the dates. Alex C is correct, they do exist and looking at a few sample files, appear to be filled in.
Hi have spent a lot of time recently creating missing moov segments for MP4 files. For this I found an Apple spec "QuickTime File Format Specification" as a PDF file very useful
AHA! That's the one I was looking for, no wonder I couldn't find it, I was assuming I had the actual ISO spec. That's been bugging me for hours, so thanks for putting me out of my misery!
Also glad I hadn't imagined the timestamp being stored in the file, thanks for clearing that up.
mscotgrove,
The format of the video is a 3gp (Third Generation Partnership), will this analysis work using the procedure as the "atom?" I did find the pdf , d/l it and will read it.