Digital forensics examiners are very aware of the benefits of identifying metadata in files from word processing documents to image files. The metadata in image files, referred to as Exif (Exchangeable image file format), has been a source of information in forensic examinations for some time. Many files, including video files, have metadata.
If metadata is important in other investigations, can video metadata be a similar potential treasure trove? In our basic course I have extolled the examination of metadata during internet investigations, because in online documents or images, metadata can be incredibly damaging evidence.
For example, recently I was asked to examine a website set up on a “free” domain to find out who the the owner might be. Examination of the website failed to ascertain anything until I downloaded the files embedded in the site. A quick look at the files’ metadata ascertained their author – who was well known to the plaintiff.
Two types of video metadata
So video metadata does exist, and it is important. To deal with video metadata, we have to understand where it comes from. There are two sources, which one article describes as:
a) Operational, automatically gathered video metadata, which is typically a set of information about the content you produce, such as the equipment you used, the software you employed, the date you created your video, GPS coordinates of shooting location, and more.
b) Human-authored video metadata, which can be created to provide more search engine visibility, audience engagement, and better advertising opportunities for online video publishers.
Most of what we are currently dealing with in metadata examination is the “operational” metadata. However, human-authored metadata may become more important.
Interestingly enough, video metadata is getting some heavy discussion from a marketing point of view. Online video providers are looking at the use of video metadata to describe the video better for two reasons: first, better coverage in the search engines, and second, so end users have more descriptive information about the video.
Additionally, video-sharing sites seek to make videos more “social” by enabling users to add metadata to the videos they host. For instance, Metacafe’s Wikicafe section allows all its users to add “human authored” comments to video metadata.
Although few standards currently exist for video metadata, this is changing as video delivery becomes more important. Acceptance of standards such as the Dublin Core Metadata Element Set are becoming common. With standards in the metadata, investigators will have an ability to look for common items of information in the file.
Standard metadata also makes it easier to build tools to extract this data. The continuing conversation, and the acceptance of “human authored” metadata, will undoubtedly provide investigators with additional information regarding videos they find on the internet during investigations.
File formats and what they contain
Search Google for “video metadata forensics”, and you won’t find much of anything useful. It is mentioned in some places that video has metadata, but little describes the metadata in depth. However, search for RIFF (Resource Interchange File Format) and you will find a lot more. Riff, the term similar in usage to Exif data, is the format that describes the usage of metadata in many video and audio files.
Riff data can include:
The amount of Riff data available depends on the file format. Riff data is a proprietary format originally developed by Microsoft and IBM for Windows 3.1. The format was released in the 1991 in the Windows Multimedia Programmer’s Reference. Riff was never adopted as a standard and few new video formats have adopted the file format since the 1990’s. Common files formats still in use that use Riff include .wav and .avi. Microsoft has since 2004 been using the ASF format (Advanced Systems Format) since 2004 in its .wma files.
From the Microsoft Advanced Systems Format specifications, we can find that the ASF file can contain potentially valuable information.
Okay….so we have looked at the underlying structure for the metadata present in video. The question now becomes, how do we look at that data? There are a few free tools out there to assist you. Let’s talk about three:
Gspot has been the heavy lifter for most investigators looking at metadata in video files. It provides a single screen view of the available data in a video file (of the files it can translate). Most of the data is “operational” data found in the file, but it does provide you with the “human authored” data if it is present. Gspot has an export function to allow the user to save the metadata information for inclusion in a report or to add to WebCase. Gspot’s failing is that it has had no recent updates since 2007.
The Gspot report looks like this:
To me, MediaInfo is a newer tool. Its basic view is much simpler than Gspot’s, but it offers several different views of the data that allow you to determine what metadata is present. I personally like the “tree” view as it lays out all of the metadata present in an easy to view screen. The export options for reporting also allow the user to quickly make reports in a text or html format for inclusion in their reports or to add to WebCase. MediaInfo also adds during installation a right click function to Windows Explorer to easily access the tool.
Media Info report (txt, html, or CSV) looks like:
A very basic tool, Video Inspector provides the user with the essential metadata present in the video file. The export function allows for exporting a text document with the metadata it finds, but it is limited. The tool was designed to assist the user in identifying missing codecs required to play the video, so reading all the available metadata is not its main function.
Video Inspector Report looks like:
In comparing the tools I used a video that I know had “operational” metadata in it to determine whether each program reported the data. Gspot and MediaInfo both located and reported the data. MediaInfo included the “Master date” which could either be the date the video was “mastered” or possibly the date it was uploaded to the site (I have to do some more research on that date and time stamp).
So there is some usefulness in reviewing video files for metadata. Something to remember is that some sites may strip the metadata when posted on line. Also, other tools used to download videos from the Internet, like savevid.com, save the video in flash and not the original file format containing the original metadata . Investigators need to find the original video uploaded to get to the metadata.
Additionally, as previously discussed, investigators may encounter challenges in the form of social media. For example: Metacafe’s attempt to add metadata to videos it hosts. Its Wikicafe section allows all its users to add “human authored” comments to video metadata.
If you are more interested in reading about metadata in video files here are some resources:
ASF File Format
What experiences have you had collecting video file metadata? Comment below!
Tags: Advanced Systems Format, ASF, Dublin Core Metadata Element Set, EXIF data, Gspot, Internet investigations, MediaInfo, Resource Interchange File Format, RIFF, search engines, video file metadata, Video Inspector, Wikicafe