[FFmpeg-user] Prove that video file does not have content removed or added

Peter White peter.white at posteo.net
Sat Jul 23 09:08:06 EEST 2016 

André Luís Duarte wrote:
 > Hi guys
 >
 > I am involved with another project in computer forensic where I have
 > to prove that several video files are intact (was not added or
 > removed content). I thought it would be easy but I'm a little
 > difficulty.

I am pretty certain you cannot prove anything in the digital world.
Unless the original was cryptographically signed, someone wanting to
manipulate a video could just as easily use ffmpeg to make it
undetectable.
Want to remove frames? Select the ones you want to keep and let ffmpeg
create a new file from those. I mean, how can you assume someone being
able to add or remove content but at the same time they are unable to
manipulate the metadata?

Or what am I not getting?

 > I thought of running ffprobe command to see the file characteristics
 > and got the following output.
 > ffprobe sample01.AVI...
 >
 > Input #0, avi, from 'sample01.AVI':
 > Metadata:
 > creation_time   : 2012-05-15 17:37:35
 > encoder         : SONY DSC MJPEG 0100
 > Duration: 00:00:46.27, start: 0.000000, bitrate: 2833 kb/s
 > Stream #0:0: Video: mjpeg (MJPG / 0x47504A4D), yuvj422p(pc, 
bt470bg/unknown/unknown), 320x240, 2735 kb/s, 30 fps, 30 tbr, 30 tbn, 30 tbc
 > Metadata:
 > title           : SONY DSC MOVIE
 > Stream #0:1: Audio: pcm_mulaw ([7][0][0][0] / 0x0007), 11025 Hz, 1 
channels, s16, 88 kb/s
 >
 > I converted the video time duration (00:00:46.27) for seconds and got 
the value: (46*60)+27 = 2767 s

FWIW, that calculation is wrong. The duration *is* 46.27 seconds. No
need for any calculation.

 > I thought the logic was right, but to see the amount of frames in
 > the video with the command:
 >
 > ffprobe -show_frames -select_streams v:0 sample01.AVI
 >
 > I got a output information and the final of message is:
 >
 > [FRAME]t message repeated 692 times
 > media_type=video
 > stream_index=0
 > key_frame=1
 > pkt_pts=1387
 > pkt_pts_time=46.232871
 > pkt_dts=1387
 > pkt_dts_time=46.232871
 > best_effort_timestamp=1387
 > best_effort_timestamp_time=46.232871
 > pkt_duration=1
 > pkt_duration_time=0.033333
 > pkt_pos=16330824
 > pkt_size=11662
 > width=320
 > height=240
 > pix_fmt=yuvj422p
 > sample_aspect_ratio=N/A
 > pict_type=I
 > coded_picture_number=0
 > display_picture_number=0
 > interlaced_frame=0
 > top_field_first=0
 > repeat_pict=0
 > [/FRAME]
 >
 > I understand the output for the command, the pkt_pos line = 16330824
 > has the number of the frames in the video file.

It does not. pkt_pos is the start position of the frame in the file
in bytes. In this case though, pkt_pts happens to be the frame number.
But I would not count on that with other formats.

More information about the ffmpeg-user mailing list