Skip to main content

Metadata: So Useful But Not So Reliable

Marco Fontani

Reading time: 5 min

importance of metadata

Dear friends, welcome to this week’s video evidence pitfall post! We often hear about the importance of metadata as a way to reveal more than pixels alone would. It’s certainly true that metadata can give us lots of useful info. However, it must be looked at carefully and prudently, as it hides several pitfalls. Keep reading to discover some!

Contents hide
Issue: Metadata May Seem (or Be) Misleading!
Explanation: Metadata Come in Many Flavors
Filesystem Metadata
Embedded Metadata
Solution: Don’t Trust Too Much Metadata… nor Yourself!

Issue: Metadata May Seem (or Be) Misleading!

As part of a drug-dealing investigation, you’re provided a video submitted by a citizen, who captured it with their smartphone (you can download it from this link).

Screenshot of Amped FIVE software interface analyzing a video frame showing a man walking in a grassy park near parked cars and a large tree. The software's timeline, filter settings, and video loader panel are visible, indicating use of FFMS with audio and DVR conversion options. Commonly used in forensic video enhancement and analysis workflows.

The video is brought to you on a USB drive by a colleague. Using Amped FIVE‘s Copy and Verify tool, you copy it on your workstation checking that hashes match, and then create a working copy of it. The first question you want to address is: is the integrity of the video file preserved?

So you load the video in Amped FIVE, open the Advanced File Info and take a look at the Exiftool tab. A load of information appears, and you’re suddenly puzzled by something.

Screenshot of the ExifTool tab in Amped FIVE software displaying advanced file information for the video file "DXX_V_outdoor_move_0001.mp4" located in the D:/metadata directory. Metadata includes file size (159 MB), file modification date (2019:09:26 14:45:44+02:00), access date (2021:04:29 16:17:13+02:00), and creation date (2021:04:29 16:05:31+02:00), crucial for digital forensics and video authenticity verification.

The File Creation Date/Time reads April 29th, 2021, but the File Modification Date/Time reads September 26th, 2019. How could a file be modified before being created? Does this already mean integrity is broken? Then you scroll down and find more information about time…

Metadata details for a video track displayed in a forensic analysis tool, showing track creation and modification dates as September 26, 2019 at 12:45:44. The video track resolution is 1920x1080 pixels, with a duration of one minute and media time scale of 90000. Key fields include Track ID, Media Create Date, Media Modify Date, and Handler Description, providing critical evidence for verifying video authenticity and file integrity in forensic investigations.

The Media Create Date and Media Modify Date both suggest September 26th, 2019 as the creation date. What does all of this mean?

Explanation: Metadata Come in Many Flavors

When talking about image and video metadata, there’s an important first distinction that must be made: the one between Filesystem metadata and Embedded metadata.

Filesystem Metadata

These are not part of the file. They are created and maintained by the operating system somewhere else on the hosting device. As far as Windows is concerned, among the others, there’s a Create date, a Modify date, and an Access date maintained for each file. Whenever a program accesses the file (even for simply reading part of it), the Access date (should) get updated. Whenever a program writes something into the file, the Modify date gets changed (even if the file did not actually change). The Create date, as suggested by the name, tells when that file was created on the filesystem.

Now, when your colleague brought the file to you, you copied it from the USB drive and pasted it on your workstation. Since you’re creating a new copy, the filesystem sets the copy date as the Create date. While, of course, the source file’s Create date remains unaltered. However, since the file is just being copied, the filesystem does not update the Modify date. This explains how you can easily have a Create date that is later than the Modify date!

Embedded Metadata

They are a different story: they are written inside the file and travel with it. Normally, they’re written when the image/video is created and possibly updated by processing software when the file is manipulated in any way. They won’t be affected by copy-paste operations, since they are part of the file payload. Unfortunately, however, it is very easy to delete or modify them for an attacker! In Windows, some embedded metadata can be just changed or erased from the File Properties panel!

Screenshot of image properties window showing metadata details for a JPEG file, including the date taken as October 18, 2019, and the program name listed as "MAR-L21A 9.1.0.241(C431E8R1P1)". Additional metadata fields include image dimensions of 4000x3000 pixels and the image ID. This data is typically used in digital forensics and photo authentication to verify image origin, capture date, and software used.

You can add or change virtually all embedded metadata using dedicated software, such as Exiftool, or working with a Hex editor.

Until now, we’ve looked at a standard video file. When dealing with proprietary video files, however, even more problems arise. For example, a proprietary container could host a standard video stream and a proprietary audio stream. It may easily happen that your analysis software will only be able to detect the standard video stream and not the audio stream! You may thus believe the recording has no audio, while actually there’s audio and the proprietary player could play it! The same happens with timestamps. If they’re written in a non-standard way, you will almost certainly lose them if you don’t use specialized software.

The metadata in the below file is reporting one single video stream (Video ID 0)

Screenshot of the "Advanced File Info" tab from a forensic software tool displaying detailed metadata for an AVI video file. Information includes file size of 8.13 MiB, duration of 2 minutes 7 seconds, overall bit rate of 537 kb/s, and writing application Lavf58.20.100. Video stream data reveals H.264 codec, resolution of 352x288 pixels, frame rate of 50 FPS, progressive scan type, and YUV 4:2:0 color space. This technical metadata is critical in digital forensics and video authenticity verification.

However, as we saw in the last “Video Evidence Pitfalls” post (about Multiplexing), this single stream could really be multiple streams. Is it 1 video or 8? And take a look at that frame rate — is it really 50 fps? (Spoiler — no it’s not!)

As it was explained in a dedicated blog post (What is the frame rate?), in a single file you may find even 3 or 4 conflicting information about the frame rate at which the video should be played (some info in the container metadata, some in the video stream’s metadata, some in the audio’s, etc.). For example, we’ve been recently dealing with a video claiming a 50 fps playback speed. Since there were timestamps printed over frames, we could find that actually, the frame rate oscillated between 42 to 59 fps, depending on which part of the video you concentrated on.

Solution: Don’t Trust Too Much Metadata… nor Yourself!

In this post, we could only cover the tip of the iceberg. It should be pretty clear that metadata are a mine of information but also a minefield. This is especially true when dealing with proprietary file metadata, which will not be parsed by most file analysis software. A very good starting point for examining the available information in your file is Amped FIVE’s Advanced File Info, going through the various tabs it offers. The ffprobe tab will display lots of technical data about the container and the included streams, but it’s also harder to read for a non-expert.

If you’re dealing with recovering a license plate from a video, probably you don’t have to worry too much about metadata. But when the date and time of events matter (e.g., car incident analysis), you’d better ask yourself: am I confident in dealing with this stuff? If the answer is “perhaps no”, then call an analyst with experience and get some help.

 Marco Fontani

Marco Fontani is the Forensics Director at Amped Software, a software company developing image and video forensic solutions for law enforcement agencies worldwide. He earned his MSc in Computer Engineering in 2010 and his Ph.D. in Information Engineering in 2014. His research focused on image watermarking and multimedia forensics. He participated in several research projects funded by the EU and EOARD, and authored/co-authored over 30 journal and conference proceedings papers. He has experience in delivering training to law enforcement and provided expert witness testimony on several forensic cases involving digital images and videos. He is a former member of the IEEE Information Forensics and Security Technical Committee, and he actively contributed to the development of ENFSI’s Best Practice Manual for Image Authentication.

Subscribe to our Blog

Receive an email notification when a new blog post is published and don’t miss out on our latest updates, how-tos, case studies and much more content!