Realising a Push Button Modality for Video-Based Forensics

: Complexity and sophistication among multimedia-based tools have made it easy for perpetrators to conduct digital crimes such as counterfeiting, modiﬁcation, and alteration without being detected. It may not be easy to verify the integrity of video content that, for example, has been manipulated digitally. To address this perennial investigative challenge, this paper proposes the integration of a forensically sound push button forensic modality (PBFM) model for the investigation of the MP4 video ﬁle format as a step towards automated video forensic investigation. An open-source multimedia forensic tool was developed based on the proposed PBFM model. A comprehensive evaluation of the efﬁciency of the tool against ﬁle alteration showed that the tool was capable of identifying falsiﬁed ﬁles, which satisﬁed the underlying assertion of the PBFM model. Furthermore, the outcome can be used as a complementary process for enhancing the evidence admissibility of MP4 video for forensic investigation.


Introduction
Information and communications technology (ICT) has taken over a substantial part of our lives and has brought about changes in our daily lives. Furthermore, the digital information that is stored in computers and multimedia devices is increasing, in particular multimedia content such as images, audio, and video. Video is one of the most significant groups of these multimedia data. However, as asserted in [1,2], the proliferation and ease of falsification of this class of multimedia data present a daunting challenge to society, thus further requiring the need for an advanced file fingerprinting mechanism [3,4]. Highlighting this notion, Reference [5] posited that the trustworthiness of a multimedia video is sacrosanct, the lack of a scientifically verifiable method notwithstanding. This challenge can be attributed to the complexity of editing software, which has also evolved to enable inexperienced users to manipulate the content of digital data (with little effort) with a high-quality output. As a consequence, questions regarding media authenticity are of growing significance, particularly in litigation where important decisions might be based on the reliability of the digital evidence [6]. A proper chain of custody, as well as a chain of evidence are also required to ensure the repeatability and possible expert presentation of a digital artefact [6][7][8].
The digital forensics discipline-the field saddled with the application of proven scientific methods to validate the reliability of digital artefacts [9,10]-has seen a steady growth in the number of professionals capable of extracting and verifying the authenticity

Background and Related Literature
Multimedia Forensics (MF) is a digital forensics sub-domain that applies scientific techniques across a variety of digital content (audio, video, photo, etc.) for electronic discovery [13,14]. Like computer forensics [15], it involves the discovery of the source and/or location of multimedia data from their file metadata. Additionally, MF is tasked with the extraction of useful information for authentication and identification; for example, forgery detection, similarities between images, and the rate of accurate detection of multimedia facets. Image forensics plays a vital role in proving the authenticity and integrity of digital images by attempting to detect forgeries such as copy-move, copy-paste, region duplication, forged region, and region replacement within an image [16]. Audio forensic analysis, on the other hand, is the process of collecting, examining, and reviewing audio recordings to extract facts that are admissible during litigation by a court of competent jurisdiction [17]. Audio forensics has several applications that could be linked to the acoustic environment or location where the audio was recorded, the identification of speakers and audio improvements, or the actual device used to record the audio file. Similarly, video forensics aims to evaluate the authenticity and integrity of a moving image and integrated audio stream (video content) through the analysis of inherent device characteristics or processing artefacts in the video data [18]. Basically, MF focuses on source identification and forgery detection. Whilst source identification focuses on identifying or inferring knowledge about the source of digital information, forgery detection attempts to uncover traces of falsification by assessing the authenticity of the digital content [19]. MF is able to achieve this goal by relying on the extraction of facts and evidence to authenticate the integrity of digital data [20]. Videos are made by converting a camera's electrical impulses and saving the information as digital media. The number of still images per video time unit is referred to as the frame rate. Clips in digital videos use about 12-30 frame rates per second, with 24 frames per second as the widely used frame rate (frame/s). The larger the number of frames, the smoother the video will appear. MP4 video, for instance, uses a sequence of pictures (discrete pixels) that can be continuously viewed to create the impression of motion, which manipulates the persistence of the perception of the human pictorial system [21].
These pixels can easily be represented by a number that uniquely identifies its overall value, which is easier for the computer to manipulate and store. Video falsification is a process of malicious modification of digital video content to obscure an entity or an event or change the meaning conveyed by the video; while video tampering detection aims to discover the traces of alteration and thereby evaluate the trustworthiness and integrity of the video file [22]. Insights into related studies on video forensics are further presented in the next paragraphs.
A large volume of research has proposed techniques and methods to confirm the trustworthiness and integrity of a digital video evidence. These techniques asserts that modifying the content of a video introduces specific artefacts that could be used for the alteration detection of a given video file. Detection techniques are classified as passive (blind) and active techniques [23]. According to [24], the availability of low-cost electronic multimedia devices and the high level of data processing capabilities have made video forensics increasingly important. Nevertheless, Reference [24] focused on discrepancies in video content using a human pictorial system through image resemblance measurement to find modifications in videos. This technique could readily detect alterations that are not noticeable to the human eye. The study in [25] reported that the accessibility of lowcost, portable, and highly usable digital multimedia devices has significantly increased the likelihood of location-less, network-related, or time-constrained digital multimedia. As a consequence, the authentication and verification of a given content have become increasingly difficult. The study further opined that this difficulty has several consequences when the digital content is used as a corroborating piece of evidence.
Similarly, the study in [26] proposed a video copy recognition system that is based on content fingerprinting that could also be used for the indexing and validation of video. The system uses a fingerprint extraction algorithm combined with a fast and approximate search algorithm to extract the compact content-based signatures from separate images of the video frames. Each of such images represents a short segment of the video and contains temporal, as well as spatial information about the video segment. The system extracts and pre-stores fingerprints of all the videos stored in the database. However, this approach only works for video with a very short length, thus making the approach inefficient for forensic investigation purposes. By limiting the investigation process to frame removals only, the study in [27] proposed a collection of automated frame removal or additional recognition techniques that considered changes in the P-frame prediction error of a video. This technique focuses on video codecs using a fixed-length group of pictures (GOPs) when compressing segmented frames in a video. Moreover, the result is only reliable if anti-forensics have not been applied to the video content. Leveraging the signal processing methodology, the studies in [25,28] inspected the effective approaches to reconstruct and authenticate the processing history of video data. The study asserted that most alterations are not revocable and leave some "footprints" in the reconstructed signals, which can be analysed to recognize the previous processing steps. However, empirical evaluation has shown that simple processing chains of a signal can be reconstructed with a negligible amount of modification to the signal, rendering the approach inefficient to check the footprint of the video content.
In an attempt to introduce an automation process (referred to as push button forensics), the study in [18] developed a system that explored the video stream of digital cameras and mobile phones in order to extract the file format structures. Upon successful extraction, the system then validated the structure with the original video file. Captured information included the origin of the file, recognizing the true device of the acquisition model, and the processing software that was used for the recording. Furthermore, it required an adapted file parser(s) to read and extract all obtainable file formats and metadata from the videos in the database created. This approach is a passive technique of detecting alterations in videos. The tendency to store all models or vendor-specific peculiarities of digital devices used for creating video content was a major limitation of the study. A similar study in [22] established a method for perceiving suspicious areas using noise characteristics in static scene videos (surveillance).
A noise level function (NLF) describes the variance in image signals of the irradiancedependent noise. The study used a probabilistic design approach, which regulated the noise characteristics at each pixel. Pixels in spliced areas were separated using the posterior maximum (MAP) estimation of the noise model where the NLFs were incompatible with the rest of the image. However, the study did not account for frame structures failure when the repeated frames were less than the calculated window size, especially when frame replication took place in a different order. Reference [29] also developed the VidentifierTM (VTM) Forensic system for automatically recognizing the modification of images and videos. VTM Forensic has two main features that are of interest to the multimedia community. First, it has a robust structure, precisely distinguishing difficult video alterations. Secondly, it is efficient, even on a very large scale. To recognize video modifications, VTM Forensic uses a mixture of a large-scale multidimensional NV-tree index and fine-grained local image descriptors. VTM Forensic is tolerant of many pictorial changes, including mirroring, camrips, compression, and subtitles. It, however, requires that the fingerprints of the authentic versions of the videos be stored in the database for assessment. The feasibility of creating a valid database for all original versions of video files cannot be ensured during a digital investigation. These studies attempted to develop viable alternatives for video forensics, albeit with inherent limitations. Furthermore, the forensic soundness of the push button forensic modality (PBFM) tools developed was ignored. To address these observed limitations, the current research proposed a forensically sound push button forensic (PBFM) tool for the investigation of the MP4 video file format. The file format selection hinged on a limited number of potential video file formats and the possibility of an exhaustive video file format integration.

Realising Push Button Forensics
As a step towards addressing this forensic reliability challenge, this study sought to promote the development of an automated video forensics process through a push button forensics modality (PBFM). The term PBFM is used to connote a forensically sound process implemented in a tool for conducting digital investigation. This process mainly includes corroborative evidence collection and pre-processing, as well as potential evidence analysis. A typical PBFM process defined for this study is further illustrated in Figure 1. Central to this illustration is the assurance of chain of custody and chain of evidence through a white-box testing approach. The decision to ascertain these attributes was considered essential for evidence admissibility and standardized forensic practice. Consequently, this process can potentially "reduce the case backlog while avoiding investigation biases and personal prejudice" [11]. Furthermore, the process considers the verification of the analysis methodology. In this regard, a formal approach that entails theoretical suppositions and logical reasoning can be used to substantiate the correctness of the analysis process.

Implementation Approaches
This section discusses the proposed PBFM approach, which is based on a file signature alteration technique that is capable of identifying potential modifications. A multi-tier architecture (n-tier), which is comprised of the presentation, logical, and data tiers, as shown in Figure 2, was adopted in this study. This architecture physically separates the application logic processing, data management roles, and presentation activities.
The presentation tier, as shown in Figure 2, which is the uppermost layer of the application, interconnects with the other two tiers of the application. It shows the data of the administered output content and the layer that users access through the graphical user interface (GUI). The logic tier (application tier, middle tier, or business logic) receives input from the presentation tier. It processes and controls the functionalities of the proposed application. On the other hand, the data storage tier is the data access layer that encapsulates the persistence mechanisms and exposes the data to the application tier. The storage mechanism allows for updates or changes without affecting the application tier clients.

Operational Framework
One core component of an automated forensics process, as highlighted in Figure 1, is the capability to ensure white-box testing. The combination of the tiered architecture and the process presented in Figure 3 was conceived of to address this focus. This further ensures that the software information domain and its component functions are fully understood, as are its behaviour, performance, and the interfaces required. An imputed Mp4 Video file is parsed for file signature identification and extraction. The extraction signature is then compared with a known signature. The report of this verification process is further hashed to ensure integrity verification. These are further explained in the following subsections.

Signature Extraction Mechanism
Tracing the forgery of a video file requires the identification of several parameters of the video file. Mostly, it becomes paramount for one to be able to prove that the file is a video file or whether there exists any enhancements or illegal processing using video processing tools. Figure 3 shows the flow of the video selection process. The file selection process identifies video-type media files, which is further verified to ascertain if the imputed sample is an accurate file format. The format in this context denotes the standard extension that identifies the file type. Upon successful identification of the desired file format, the data is parsed to the file signature extraction and comparison phase. Identification and extraction of the signature of a file comprise a forensic scheme that is performed at the preliminary stages, which allows one to match the content of the file against what may be residing in the database. A rather interesting concept in this approach is to identify the accidental or deliberate distortions or tampering. The file signature, in the context of this research, is identified as a key feature of video file. This is based on the supposition that each video file format has a specific frame content that corresponds to a unique hexadecimal value, otherwise known as its file signature. Known file signatures can, therefore, be stored in the repository. In the authors' in-depth analysis, distortions of the video signatures may arbitrarily hinder successful forensic discoveries. The theoretical basis and the corresponding algorithm for the signature extraction and comparison are presented in Section 3.2.2. Upon a successful match (or the converse), a corresponding forensic report is generated.

File Signature Identification and Extraction from MP4 Video
The MP4 video format (MPEG-4 Section 14, also known as MPEG-4 AVC, where AVC denotes Advanced Video Coding and MPEG refers to Motion Picture Expert Group) is one of the most common digital multimedia formats for storing video and audio. However, it can also be used to store other data such as subtitles and still images. The official file name extension for MPEG-4 Part 14 files is ".mp4", other extensions, most commonly ".m4a" and ".m4p", notwithstanding. MP4 is based on the ISO/IEC 14496-12:2004 standard, which in turn is based on the QuickTime file format. Its structure is similar to the QuickTime file format, with some additional features. An MP4 file has three sections: header (ftyp), video data (mdat), index information (moov), as shown in Figure 4. Furthermore, the MP4 format also consists of consecutive chunks. Each chunk of MP4 files includes an 8 byte header, a 4 byte chunk size (high byte first, big-endian), and a 4 byte chunk type. The hexadecimal composition of these chunks is further depicted in Figure 5. The first chunk of an MP4 file has a four byte chunk size at offset zero and a four byte chunk type.  From Figure 5, the offset locations 00 through 03 represent the size in a decimal value of the first chunk header. To extract the file signature, the hexadecimal values 00 00 00 18 are converted to decimal values, which correspond to 00 00 00 24. This is the size of the first chunk header in the sample MP4 file shown in Figure 4. The offset locations 04 through 07 represent the signature type (66 74 79 70) of the first chunk header of an MP4 file. These hexadecimal values are converted to ASCII values to obtain "ftyp". ftyp represents the first file signature type for every MP4 file, with details further depicted in Table 1. Furthermore, the first chunk of every MP4 file also has a signature sub-type defined at offset locations 08 through 11. When these hexadecimal values are converted to their corresponding ASCII values, one of the following signature sub-types is obtained: "avc1", "iso2", "isom", "mmp4", "mp41", "mp42", "mp71", "msnv", "ndas", "ndsc", "ndsh", "ndsm", "ndsp", "ndss", "ndxc", "ndxh", "ndxm", "ndxp", "ndxs".
A summary of these signature sub-types is further presented in Table 2. The offset location of the second chunk starts at the size defined by the first chunk. It has a four byte chunk size and a four byte chunk type. A breakdown of the file signature subtype using the second chunk is also considered. This is further illustrated in Figure 6.
From Figure 6, offset locations 00 through 03 (00 00 00 18) represent the size (24 in decimals) of the first chunk header. Thus, offset location 24 marks the start point of the second chunk. From the sampled MP4 file shown in Figure 6, offset locations 24 through 27 (00 00 24 CD) represent the size (9421 in decimals) of the second chunk. The next four bytes after the size represent the file signature type of the second chunk. These file signature types could be any of the types shown in Table 3.  The offset locations 16 through 19 and 20 through 23 are also considered a file signature sub-type, which could be defined by any of the signatures in the MP4 signature sub-type shown in Table 3. To determine the offset location of the third chunk for the MP4 sample file shown in Figures 5 and 6, the size of the first chunk is added to the size of the second chunk. In this case, the first and second chunk sizes are 24 and 9421 (both in decimals), respectively. Thus, the offset location of the third chunk is 24 + 9421 = 9445. Therefore, the offset locations 9445 through 9448 represent the size of the third chunk, while the offset locations 9449 through 9452 represent the file signature type of the chunk as defined in the file signature type table shown in Table 3. A summary depiction of the third chunk is shown in Figure 7.

Comparison Lookup Table
To aid the comparison process, this study developed a lookup table, which was then used to compute the authentication process of the file format structure and file signature based on the alteration differences typically observed between an altered file and its original version. A synopsis of the lookup sequence is further presented in Table 4. The sequence is an integration of the defined file signature sub-types for chunks 1, 2, and 3.  Table 3  2 Offset-x 16-19 Table 2  NIL  3 Offset-y 20-23 Table 2  NIL  4 Chunk 2 size-1 size-2 Table 2  NIL  5 Chunk 3 size (1 + 2) size-3 Table 2 NIL The sequence synopsis given in Table 4 is further described as follows: • Chunk: the chunk header information represents the order in which the chunk appears in the file, where chunk 1, chunk 2, and chunk 3 depict the first, second, and third chunks of the examined MP4 file, respectively. • Offset: an offset depicts the distance from the beginning of the file (when viewed in Hex format) where "0" is the index position zero and "size-1" is the index position of the first size of the chunk observed in the examined MP4 file. • Size: the size depicts the computed decimal value equivalent of the chunk's size, which consists of four octets. • Type: this depicts a predefined signature used for the identification of each chunk. • Sub-type: this depicts a predefined signature for identifying the sub-chunks of every chunk within the examined MP4 file.

Push Button Forensic Tool
A web-based video forensic tool, which provides the basic forensic functionality that is required for video forensic investigation, is presented in this section. Based on common practice in forensic examination, the developed system provides basic functionalities such as determining the video file format; identifying whether the video file has been manipulated or not; and identifying the manipulation/alteration techniques. The corresponding interface of the developed tool is shown in Figure 8 (the tool is available at https://github.com/mrzee498/Multimedia-Forensicator (accessed on 5 March 2021)). The tool uses a lightweight database as the storage location where the comparison mechanism gets a stored set of file signatures of the existing video format. Based on the various actions highlighted as the processes involving data input, different tables were designed to help store the information needed for such actions.
The user (forensic investigator) starts by choosing the type of multimedia file (in this case video) to be investigated. After a successful upload of the multimedia file, the user then performs the analysis by "pushing" the "Forensic Analysis" "button" shown in Figure 8. The result of the verification/authentication process is then displayed. The interpretation of the result is presented in Table 5.

Discussion
The increasing rate of multimedia devices and the demand for digital data call for a scientific and forensically proven approach to verify the authenticity of digital evidence presented in video content. This is necessary because forensic analysis plays an important role in criminal investigations and civil litigation cases when administered in a court of law. Forensic practitioners have researched several techniques and methods to verify the trustworthiness and integrity of the content of a digital video [23]. Some of the tools developed use different alteration detection techniques to authenticate digital video content, and examples of such tools include: the VidentifierTM (VTM) Forensic system for automatically identifying modification in images and videos, developed by Asmundsson and Lejsek [29]. The method used by VTM is a fingerprint-based extraction unit associated with the database server where the geometric and time-based properties of the extracted fingerprints are stored. The system requires that the fingerprints of the authentic videos be obtained and stored in the database to be used for assessing videos under investigation. However, a priori knowledge of digital content may not be available for forensic investigation. Therefore, this proves a limitation in the VTM forensic system given that obtaining the authentic version of all available video files may prove challenging.
Secondly, the study in [25] developed an approach to reconstruct and authenticate the processing history of video data. The study assumed that alterations are not revocable and that they leave some evidence in the reconstructed signals, which can be analysed to recognize the previous processing steps. However, according to [28], simple processing chains of a signal can be reconstructed without adding an excessive amount of modification to the signal, thus rendering the approach inefficient to check the integrity of the video content. The study in [27] proposed a collection of automated frame removals. This system achieved video authentication with a mathematical model of video frame removal and accumulation discovery techniques aimed at video codecs using a fixed length group of pictures (GOP) when compressing segmented video frames. The limitation of the outcome is that the method is only reliable if anti-forensic techniques have not been applied to the video content. Similarly, the study in [18] developed a passive technique of alteration detection that explores video streams and extracts file format structures of the videos from multimedia devices. The approach is based on recognizing the true device of the acquisition model or the processing software that was used for the recording and required adapted file parser(s) to read and extract all obtainable file formats' data and metadata from videos. Detecting video file structure information based on camera and mobile phone model specifics may not be effective in the future, because determining all models or vendorspecific peculiarities of digital devices used for creating video content is challenging.
Lastly, the study in [30] proposed an algorithm for detecting frame deletion in HEVCcoded videos that were classified by machine learning classifiers. The research employed the passive alteration detection technique of multimedia forensic methods. Results from the study revealed that learning-based classifiers were more efficient than model-based ones. Furthermore, the system had a limitation in forgery detection capabilities when the number of deleted frames doubled the number of groups of pictures (GOPs) in digital videos. This implies that videos falsified by experienced anti-forensic individuals will lure the system to a false negative report. A descriptive summary of these tools is further presented in Table 6.
While several tools have been developed with different alteration detection techniques, as reflected in the comparative analysis in Table 6, the file signature method of the active authentication technique as considered in this study presents a white-box paradigm. Authentication is used loosely, in this regard, to refer to the process of identifying and validating the file signature of the given MP4 file using the baseline Hex structure as the signature. This technique is considered the most effective of all the approaches examined [22]. It involves the process of extracting the unique digital structure of the file signature embedded at the point when video files are created. Moreover, altering the file in any manner deteriorates the embedded signature [21]. Furthermore, the white-box paradigm ensures that the reliability of the forensic process can be evaluated. This study did not presume any prior knowledge of the authentic versions of the video files under investigation, unlike other studies that attempted to extract fingerprints from the original versions of the videos. Furthermore, this study did not rely on the architectural structures of the file formats only or the acquisition devices, because anti-forensic techniques can falsify the structure and source of digital content, as proven in previous studies.
These studies applied diverse video alteration techniques, which can be summarized as frame insertion, frame deletion, frame and header substitution, metadata alteration, and header information alteration. Furthermore, video editing tools such as Hex editor, Adobe Premiere Pro (for timeline-based video editing), Freemaker video converter, Windows movie maker, EZGif, movie maker, Corel VideoStudio Ultimate, Magix Movie Edit Pro, OpenShot (available at https://www.openshot.org/ (accessed on 5 March 2021)), Atube catcher, Camtasia studio, and Adobe Spark are potential tools that can be explored to falsify video content. Recent advances that explore the deep learning approach in image alteration are also applicable. To further evaluate the effectiveness of the developed tool, Adobe Premiere Pro, Atube catcher, and Windows movie maker were used to perform MP4 file alteration. Three MP4 files were altered and then verified using the developed tool. The result, as shown in Table 7, supports the theoretical supposition presented in this study. [29] Finger-print-based extraction.
Efficient at a very large scale and accurately detects difficult video transformations.
The system requires prior knowledge of the original version of the digital content under investigation.
Obtaining the original versions of digital videos for investigation is quite challenging. An effective forensic tool should confirm the integrity of digital content without any prior knowledge of the original file. [25] Employed both forensics and video surveillance techniques to extract from the multi-camera system the trajectories of moving people to create a video forensic authentication tool.
Effective in retrieving people snapshot and trajectory information that could be of interest during the investigative process.
The research reconstructed processing chains of signals with the assumption that no excessive amount of modifications was made.
Reconstructing processing chains of signals leave some forensically detectable traces in the reconstructed signals, which can be analysed to render the data forensically contaminated. [27] Frame forgery detection of the multimedia passive authentication technique.
The developed system can automatically detect video forgeries with a high degree of accuracy if anti-forensics is not used.
The system only detects forgeries that involve frame deletion and addition techniques.
There are other numerous anti-forensic techniques (such as region shuffling, frame duplication, camera source forgery, etc.) that can be applied to digital videos aside frame deletion and addition to fool a forensic investigation. [21] Inter-frame forgery detection techniques using tamper traces from spatio-temporal and compressed domains.
Successful at forgery detection in frame shuffling, frame insertion, frame deletion, and frame duplication.
The system employs only the passive method of multimedia forensic analysis.
The system fails to authenticate digital videos when other anti-forensic techniques are applied. [30] Algorithm for detecting frame deletion in HEVC-coded videos, which are classified by machine learning classifiers.
Employed the passive alteration detection technique of multimedia forensic methods.
Findings from the research illustrate that learning-based classifiers are more robust and reliable than model-based classifiers.
The system remains robust only for in-frame deletion scenarios involving static scenes and effortlessly manipulated videos. While the system is only limited to frame deletion situations, anti-forensic methods could fool the system and render the authentication process abortive if other alteration techniques are employed.
The verification process presented in Table 7 shows that signature mismatch can be used to distinguish altered files irrespective of the alteration techniques applied. This study therefore presented the background for a reliable approach towards a PBFM platform. Such a platform is essential to address the growing deficit of skill shortage in developing nations. It is needless to highlight that the exodus of forensic experts from most developing nations, as well as the corresponding lack of competent forensic examiners could pose a consequential challenge to the global forensics community. The proposed tool, however, provides a fundamental basis for the admissibility and reliability of forensic artefacts, more specifically, complying with the reliability assurance process stated in Figure 1. Furthermore, there is a constant need to incorporate cost-savings mechanisms (forensic readiness) when it comes to digital forensics, which in the context of this study may be useful to an organization. This basically allows incidental planning as a solution of getting evidence when needed in order to reconstruct an event [31,32]. Additionally, the automation process of the tool ensures that every action taken by the user while using the tool is logged, and the resultant output of the analysis is carefully documented with a corresponding hash digest for both the logs and the analysis result. Through this, the result of the automation process can be verified by another examiner, when required, as asserted in [11,33].

Conclusions and Future Works
This study presented a technique for verifying MP4 video data integrity by authenticating the embedded digital signature. It also showed that the authentication of digital data is not strictly based on complex mathematics and algorithms. A video file can be authenticated by understanding the file structures and decoding the embedded digital signature at the point of creation. This research work presented a method for authenticating MP4 videos by creating a lookup table for the architectural structure and composition of the content. The developed system is a useful tool for digital investigations that will provide a simple user interface for multimedia forensics investigators. While this study did not provide an exhaustive lookup table of all possible video file formats, further study is currently under way to include all potentially available video file formats, as well as other multimedia file types in the developed tool. The tools was further conceptualized to provide a baseline for the development of push button forensics capable of enhancing forensics investigation in developing nations. Future work will also include other video file formats and the use of combined alteration detection techniques to make the tool more robust and sophisticated to span across various anti-forensic techniques.