DVR .mpg metadata not matching the embedded time/date stamp

Started by cfllc, March 30, 2021, 05:58:11 PM

Previous topic - Next topic

cfllc

I have a DVR HDD which is potential evidence in a criminal matter. The owner of the DVR, attempting to export video files, had some difficulty and took the HDD to a data recovery firm (not realizing the potential for metadata to be modified during the recovery). The firm performed the extraction of the files in a .mpg format, using a non-forensic methodology. The original HDD and extracted video files were then provided to me. I have made a forensic image of the original evidence HDD, and used the extracted files for analysis. The exported files show an embedded time/date stamp (displayed in the video file as it's playing) that would be consistent with witness accounts of the incident, however the file  metadata (modified date) of the .mpg files reflects the date when the data recovery process and extraction occurred about 3 weeks later, when processed with ExifTool. The output is less robust than my previous experience with ExifTool, and is shown below:

---- ExifTool ----

ExifTool Version Number: 11.72
Error: File format error
---- System ----
File Name: 11-26c8@12;25A [8-46-11](TG Morning-Incident Timeframe).mpg
Directory: E:/XXXXXXX Exif Analysis/#Exiftool
File Size: 947 MB
File Modification Date/Time: 2020:12:22 19:49:59-05:00
File Access Date/Time: 2021:03:30 14:26:30-04:00
File Creation Date/Time: 2021:03:16 21:44:50-04:00
File Permissions: rw-rw-rw-
---- File ----
File Type: MPEG
File Type Extension: mpg
MIME Type: video/mpeg

The time and date displayed onscreen for this file is: 2020:11:26 12:25 AM to 2020:11:27 1:40 PM

My question is: Where is the onscreen time and time information being pulled from? Was it embedded into the .mpg file as it was being recorded, or is it stored as metadata?
Any assistance is greatly appreciated!!

StarGeek

All three of those timestamps are file system timestamps, part of the underlying operating system.

If you can't turn off the text as if they were closed captions, then any date/time shown on the video is hard burned into the video, like the opening credits of a movie.  It's not pulled from anything internal to the file.
"It didn't work" isn't helpful. What was the exact command used and the output.
Read FAQ #3 and use that cmd
Please use the Code button for exiftool output

Please include your OS/Exiftool version/filetype