mp4 video authentication using file structure and metadata...digital forensic research conference...
TRANSCRIPT
DIGITAL FORENSIC RESEARCH CONFERENCE
MP4 Video Authentication Using File
Structure and Metadata
By
Jake Hall
Presented At
The Digital Forensic Research Conference
DFRWS 2015 USA Philadelphia, PA (Aug 9th - 13th)
DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.
http:/dfrws.org
MP4$Video$Authen/ca/on$Using$File$Structure$and$Metadata$ $$
Jake$Hall$
MP4/3GP$Video$
• Video$Coding$Formats$– H.264$– MPEGE4$Part$10$
– Advanced$Video$Coding$(AVC)$• File$Container$Format$– MP4$– 3GP,$3G2$
Movie$Atoms$
• QuickTime$File$Format$Specifica/on$• Allow$the$media$and$the$descrip/on$to$be$stored$separately$$
• Size$>$Type$>$Data$• Parent$/$Child$Nes/ng$Conven/on$
Original$Go$Pro$Hero$3+$Black$
Parsing$$
• 4$bytes$@$0x00$–$size$of$atom$–$32$bytes$• 4$bytes$@$0x04$–$type$of$atom$–$^yp$
• File$Type$Compa/bility$
Parsing$
• 4$bytes$@$0x20$–$size$of$atom$–$22742$bytes$• 4$bytes$@$0x24$–$type$of$atom$–$moov$• 4$bytes$@$0x28$–$size$of$atom$–$108$bytes$• 4$bytes$@$0x2C$–$type$of$atom$–$mvhd$–$Movie$Header$Atom$
$$^yp$@$0x00$moov$@$0x20$• mvhd$@$0x28$• udta$@$0x94$
• FIRM$@$0x9C$• LENS$@$0xB0$• CAME$@$0xE8$• SETT$@$0x100$• AMBA$@$0x110$• free$@$0x190$
• trak$@$0x214$• tkhd$@$0x21C$• tref$@$0x278$
• tmcd$@$0x280$• edts$@$0x28C$
• elst$@$0x294$• mdia$@$0x2B0$
• mdhd$@$0x2B8$• …$
71$atoms$in$total$
Using$Atomic$Parsley$to$Render$Original$Go$Pro$
Examples$of$Unique$Atom$Data$
Adobe$Premiere$Structure$Change$
Original$vs.$Premiere$
ffmpeg$Structure$Change$
Original$vs.$ffmpeg$
Comparison$With$Other$Devices$Panasonic$Lumix$$$$$$$$DMC$TSE5$ LG$G3$
Samsung$$Galaxy$S5$
Samsung$$Galaxy$S4$
Samsung$$Galaxy$S3$
Notes$
• Forensic$Analysis$of$Video$File$Formats$by$Gloe,$Fischer,$Kirchner$– hkp://dx.doi.org/10.1016/j.diin.2014.03.009$
• QuickTime$File$Format$Specifica/on$– hkp://developer.apple.com/library/mac/documenta/on/QuickTime/QTFF/qnf.pdf$
• Atomic$Parsley$– hkp://github.com/wez/atomicparsley$