ABSTRACT

Complexity and sophistication among multimedia-based tools have made it easy for perpetrators
to conduct digital crimes such as counterfeiting, modification, and alteration without being
detected. It may not be easy to verify the integrity of video content that, for example, has been
manipulated digitally. To address this perennial investigative challenge, this paper proposes the
integration of a forensically sound push button forensic modality (PBFM) model for the
investigation of the MP4 video file format as a step towards automated video forensic
investigation. An open-source multimedia forensic tool was developed based on the proposed
PBFM model. A comprehensive evaluation of the efficiency of the tool against file alteration
showed that the tool was capable of identifying falsified files, which satisfied the underlying
assertion of the PBFM model. Furthermore, the outcome can be used as a complementary process
for enhancing the evidence admissibility of MP4 video for forensic investigation.

1
 INTRODUCTION

Information and communications technology (ICT) has taken over a substantial part of our lives
and has brought about changes in our daily lives. Furthermore, the digital information that is stored
in computers and multimedia devices is increasing, in particular multimedia content such as
images, audio, and video. Video is one of the most significant groups of these multimedia data.
However, as asserted in the proliferation and ease of falsification of this class of multimedia data
present a daunting challenge to society, thus further requiring the need for an advanced file
fingerprinting mechanism Highlighting this notion, Reference posited that the trustworthiness of
a multimedia video is sacrosanct, the lack of a scientifically verifiable method notwithstanding.
This challenge can be attributed to the complexity of editing software, which has also evolved to
enable inexperienced users to manipulate the content of digital data (with little effort) with a high-
quality output. As a consequence, questions regarding media authenticity are of growing
significance, particularly in litigation where important decisions might be based on the reliability
of the digital evidence . A proper chain of custody, as well as a chain of evidence are also required
to ensure the repeatability and possible expert presentation of a digital artefact

Whilst this surge has been prevalent in developed countries where digital crimes are thoroughly
investigated, the same cannot be said for developing nations. This is, however, conversely related
to the reality of crime in the developing nations. Digital criminals tend to leverage the availability
of state-of-the-art software and criminal networks to perpetuate seemingly sophisticated
multimedia-related crimes. Therefore, a surge of fake multimedia content tends to dominate the
cyber-ecosystem of most developing countries without a corresponding forensic/policing
capability. Furthermore, the search for “better pay” in a seemingly “privileged” discipline has led
to the migration of digital forensic experts from developing nations to advanced settings. Thus, the
developing nations are left with a declining ratio of forensic experts to cyber criminals. A potential
approach to this decreasing ratio is the integration of automation (a drive towards the bush button
approach) in the forensic investigation process

 Realising Push Button Forensics

As a step towards addressing this forensic reliability challenge, this study sought to promote the
development of an automated video forensics process through a push button forensics modality

2
(PBFM). The term PBFM is used to connote a forensically sound process implemented in a tool
for conducting digital investigation. This process mainly includes corroborative evidence
collection and pre-processing, as well as potential evidence analysis. A typical PBFM process
defined for this study is further illustrated in Figure 1. Central to this illustration is the assurance
of chain of custody and chain of evidence through a white-box testing approach. The decision to
ascertain these attributes was considered essential for evidence admissibility and standardized
forensic practice. Consequently, this process can potentially “reduce the case backlog while
avoiding investigation biases and personal prejudice.Furthermore, the process considers the
verification of the analysis methodology. In this regard, a formal approach that entails theoretical
suppositions and logical reasoning can be used to substantiate the correctness of the analysis
process.

3
  Operational Framework

One core component of an automated forensics process, is the capability to ensure white-box
testing. The combination of the tiered architecture and the process presented in Figure was
conceived of to address this focus. This fur- ther ensures that the software information domain and
its component functions are fully understood, as are its behaviour, performance, and the interfaces
required. An imputed Mp4 Video file is parsed for file signature identification and extraction. The
extraction signature is then compared with a known signature. The report of this verification pro-
cess is further hashed to ensure integrity verification. These are further explained in the following
subsections.

 File Signature Identification and Extraction from MP4 Video

The MP4 video format (MPEG-4 Section 14, also known as MPEG-4 AVC, where AVC
denotes Advanced Video Coding and MPEG refers to Motion Picture Expert Group) is one of

4
the most common digital multimedia formats for storing video and audio. However, it can also
be used to store other data such as subtitles and still images. The official file name extension for
MPEG-4 Part 14 files is “.mp4”, other extensions, most commonly “.m4a” and “.m4p”,
notwithstanding. MP4 is based on the ISO/IEC 14496-12:2004 standard, which in turn is based
on the QuickTime file format. Its structure is similar to the QuickTime file format, with some
additional features. An MP4 file has three sections: header (ftyp), video data (mdat), index
information (moov), as shown. Furthermore, the MP4 format also consists of consecutive
chunks. Each chunk of MP4 files includes an 8 byte header, a 4 byte chunk size (high byte
first, big-endian), and a 4 byte chunk type. The hexadecimal composition of these chunks is
further depicted. The first chunk of an MP4 file has a four byte chunk size at offset zero and a
four byte chunk type.

 First chunk of a sample MP4 file.

From Figure 5, the offset locations 00 through 03 represent the size in a decimal value of the first
chunk header. To extract the file signature, the hexadecimal values 00 00 00 18 are converted to

5
decimal values, which correspond to 00 00 00 24. This is the size of the first chunk header in the
sample MP4 file. The offset locations 04 through 07 represent the signature type (66 74 79 70) of
the first chunk header of an MP4 file. These hexadecimal values are converted to ASCII values to
obtain “ftyp”. ftyp represents the first file signature type for every MP4 file

Hexadecimal Decimal ASCII

66 74 79 70 102 116 121 112 ftyp

The offset locations 16 through 19 and 20 through 23 are also considered a file signature sub-type,
which could be defined by any of the signatures in the MP4 signature sub-type shown in Table 1.

Table 1. MP4 signature types.

S/N ASCII Hexadecimal Decimal

1 ftyp 66 74 79 70 102 116 121 112

2 mdat 6D 64 61 74 109 100 097 116

3 moov 6D 6F 6F 76 109 111 111 118

4 pnot 70 6E 6F 74 112 110 111 116

5 udta 75 64 74 61 117 100 116 097

6 uuid 75 75 69 64 117 117 105 100

7 moof 6D 6F 6F 66 109 111 111 102

8 free 66 72 65 65 102 114 101 101

9 skip 73 6B 69 70 115 107 105 112

10 jP2 6A 50 32 106 080 050

6
11 wide 77 69 64 65 119 105 100 101

12 load 6C 6F 61 64 108 111 097 100

13 ctab 63 74 61 62 099 116 097 098

14 imap 69 6D 61 70 105 109 097 112

15 matt 6D 61 74 74 109 097 116 116

16 kmat 6B 6D 61 74 107 109 097 116

17 clip 63 6C 69 70 099 108 105 112

18 crgn 63 72 67 6E 099 114 103 110

19 sync 73 79 6E 63 115 121 110 099

20 chap 63 68 61 70 099 104 097 112

21 tmcd 74 6D 63 64 116 109 099 100

22 scpt 73 63 70 74 115 099 112 116

23 ssrc 73 73 72 63 115 115 114 099

24 PICT 50 49 43 54 080 073 067 084

Figure 7. Third chunk of a sample MP4 file.

7
  Comparison Lookup Table

To aid the comparison process, this study developed a lookup table, which was then used to
compute the authentication process of the file format structure and file signature based on the
alteration differences typically observed between an altered file and its original version. A synopsis
of the lookup sequence is further presented in Table 2. The sequence is an integration of the defined
file signature sub-types for chunks 1, 2 and 3.

Table 2. Signature comparison lookup table.

S/N Chunk Offset Size Type Sub-type

1 Chunk 1 0 size-1 ftyp Table 3

2 Offset-x 16–19 Table 2 NIL

3 Offset-y 20–23 Table 2 NIL

4 Chunk 2 size-1 size-2 Table 2 NIL

5 Chunk 3 size (1 + 2) size-3 Table 2 NIL

 Push Button Forensic Tool

The tool uses a lightweight database as the storage location where the comparison mechanism gets
a stored set of file signatures of the existing video format. Based on the various actions highlighted
as the processes involving data input, different tables were designed to help store the information
needed for such actions.The user (forensic investigator) starts by choosing the type of multimedia

8
file (in this case video) to be investigated. After a successful upload of the multimedia file, the
user then performs the analysis by “pushing” the “Forensic Analysis” “button”

9
 CONCLUSION

This study presented a technique for verifying MP4 video data integrity by authen- ticating
the embedded digital signature. It also showed that the authentication of digital data is not
strictly based on complex mathematics and algorithms. A video file can be authenticated by
understanding the file structures and decoding the embedded digital signature at the point of
creation. This research work presented a method for authenticating MP4 videos by creating a
lookup table for the architectural structure and composition of the content. The developed
system is a useful tool for digital investigations that will provide a simple user interface for
multimedia forensics investigators.

10