/ 
/ 
— Browsing Safely ( Upload and analyse instantly — no registration or login required.
Choose how long your private report link stays active before it expires.
Available on clearnet, Tor (.onion), and I2P — use whichever suits your threat model.
21 image formats — 8 standard (JPEG, PNG, WebP, GIF, HEIC, AVIF, JXL, TIFF) and 13 camera RAW families. 350+ video variants including MP4, MKV, WebM and AVI.
1. Privacy
Location, identity, and personal information that can expose the subject, device owner, or capture context.
GPS & Location Data Images & Video
Extracts GPS data embedded by smartphones and cameras, including latitude, longitude, altitude, GPS timestamp, and the compass bearing at capture time. Displays a map link. Video GPS is parsed from ©xyz and udta atoms.
Face Detection Images
Runs a neural face-detector on the image to count and locate human faces. Even after stripping EXIF, the pixel content itself can identify people. Reports face count and likelihood grades.
Tracking & Unique Identifiers Images & Video
Identifies tags that can uniquely link a file to a specific device or owner: SerialNumber, LensSerialNumber, CameraOwnerName, OwnerName, and equivalent fields from manufacturer MakerNotes. These persist through re-saves that strip standard EXIF.
Device Identity & MakerNote Extraction Images
Decodes the manufacturer-specific MakerNote block from Canon, Nikon, Sony, Fujifilm, Panasonic, Olympus, Pentax, and Apple. These fields carry camera serial numbers, registered owner names, lens serial numbers, and firmware version — data that survives re-saves that strip other EXIF. Also decodes DNG private IFDs with OriginalRawFileName, RawDataUniqueID, and calibration provenance.
Date & Time Exposure Images & Video
Extracts all embedded timestamps including EXIF DateTimeOriginal, DateTimeDigitized, XMP history dates, and video creation/modification atoms. A recipient can determine when and where (via timezone offset) a photo was taken even if GPS is absent.
Comments, Descriptions & Authoring Images & Video
Extracts free-text fields from EXIF, IPTC, XMP, and video tags: ImageDescription, UserComment, Artist, Copyright, XPAuthor, XPComment, and video ©ART/©nam fields. Windows Explorer silently writes the logged-in username into XPAuthor.
Text in Video Frames Video
Runs OCR on sampled frames to detect visible text embedded in the video pixel stream: timestamps burned into surveillance footage, channel watermarks, location overlays, or subtitle burn-ins that could identify the source device or location.
Embedded Thumbnails Images & Video
Extracts embedded thumbnails from EXIF ThumbnailOffset and video cover-art atoms. When the main image is edited (e.g., faces blacked out), the original thumbnail is often left intact — revealing the pre-edit content to anyone who extracts it.
GPS Timezone Triangle Images
Reverse-geocodes the embedded GPS coordinate to determine the expected local timezone, then compares it against the EXIF DateTimeOriginal. Impossible combinations — e.g., GPS places the photo in Tokyo but the timestamp is midnight UTC in winter (JST+9) — are flagged as strong signals of metadata editing or GPS spoofing. Uses timezonefinder with no external API dependency.
2. Origin
Evidence that a file came directly from a capture device rather than being re-encoded, converted, or generated by software.
Original Photo / Video from Camera Images & Video
Evaluates a combination of signals — presence of MakerNote, original file name structure, GPS correlation, encoding chain, and absence of re-encoding artefacts — to give a holistic verdict on whether this is likely a direct camera capture or a processed/re-encoded file.
DQT JPEG Encoder Fingerprinting Images
Analyses the Define Quantisation Table used by the JPEG encoder. Every major encoder (camera firmware, Photoshop, GIMP, Lightroom, iOS, Android) uses a characteristic DQT pattern. Matches against a growing fingerprint database to identify the last encoder in the chain.
DQT Thumbnail Cross-Check Images
Compares the DQT fingerprint of the main JPEG image against the DQT fingerprint of the embedded EXIF thumbnail. Cameras write both using the same firmware quantisation tables. When the main image is opened and re-saved by Photoshop or another editor, the main DQT changes while the camera thumbnail DQT remains — a reliable re-save signal with near-zero false positive rate.
Progressive JPEG Encoding Detection Images
No camera firmware produces progressive JPEG — every camera uses baseline sequential encoding (SOF0). Progressive JPEG is exclusively produced by optimisation tools (ImageMagick, jpegoptim, jpegtran, web CDNs) and certain editing workflows. A SOF2 marker is therefore a definitive re-encoding signal.
Chroma Subsampling Analysis Images
Camera firmware uses a small set of known chroma subsampling ratios specific to each manufacturer. Software encoders (Photoshop, web tools, mobile apps) use different default ratios — notably 4:4:4 at high quality and 4:2:0 at low quality. The subsampling ratio, combined with DQT tables, provides a two-factor encoder fingerprint.
Video Encoder Fingerprinting Video
Analyses bitstream structure and metadata tags like ©too, ©swr, and Encoder to identify the true underlying encoder. Matches against a fingerprint database of FFmpeg, HandBrake, DaVinci Resolve, Premiere, VLC, and mobile/camera encoders. Flags known desktop tools as evidence of post-capture processing.
C2PA Content Credentials Images & Video
Detects and parses C2PA (Coalition for Content Provenance and Authenticity) manifests embedded by cameras (Leica M11-P, Sony), Adobe products, and AI generators (DALL-E, Midjourney via Adobe Firefly). A manifest records the capture device, software applied, and a cryptographic assertion chain. Presence of a manifest is itself a strong origin signal.
Camera RAW Private Tag Analysis Images
Adobe DNG files carry private IFD0 tags that reveal the original RAW filename before DNG conversion (OriginalRawFileName), a 16-byte unique capture ID (RawDataUniqueID), and calibration signatures. Canon CR2 carries the full Canon MakerNote plus the CR2Slice strip geometry. Canon CR3 stores metadata in CMT1–CMT4 ISOBMFF boxes inside moov — EXIF, Canon MakerNote, and GPS are each in a separate box. These fields are invisible in standard EXIF viewers.
AVI ISFT Encoder Leak Video
AVI files carry an optional RIFF LIST INFO block with an ISFT (Software) tag written by the muxer. FFmpeg writes Lavf58.x, VirtualDub writes its own version string, OBS writes obs-output. The codec FourCC from the stream header is also fingerprinted — MJPEG indicates a webcam or IP camera; XVID/DIVX indicates legacy PC encoding.
H.264 SPS Profile & Level Extraction Video
Parses the H.264 Sequence Parameter Set (SPS) from CodecPrivate in MKV tracks. Extracts profile_idc (Baseline / Main / High / Extended), level_idc, and constraint flags. Consumer camera firmware never produces Extended or Scalable profiles — their presence in a file claiming to be an unedited phone capture flags a re-encode.
XMP Namespace Tool Fingerprint Images
Every XMP writer registers its own namespace URI and writes a characteristic set of properties. Photoshop leaves photoshop:History, Lightroom leaves lr: namespace, iOS Photos leaves apple_desktop:. The combination of namespaces present is a reliable tool fingerprint even when the xmp:CreatorTool field has been cleared.
Serial Number Format Verification Images
Each camera manufacturer uses a documented serial number format and length. Canon uses 10-digit numerics; Nikon DSLR/mirrorless models use 7 or 10-digit numerics while compact models use 8 or 9-digit numerics; Sony uses a 9-digit alphanumeric. A serial number that doesn't match the expected format for the declared Make/Model is a strong indicator of metadata forgery.
Temporal Plausibility Check Images
Cross-references the EXIF DateTimeOriginal against the known release date of the camera model declared in Make/Model. A photo claiming to have been taken in 2019 by a camera released in 2022 is impossible — a clear sign of metadata forgery or device-field manipulation.
Huffman Table Fingerprinting Coming Soon Images
Beyond DQT tables, the Huffman coding tables embedded in a JPEG DHT segment are characteristic of the encoder that wrote them. Camera firmware uses optimised custom tables; standard encoders use JPEG Annex K default tables. A mismatch between DQT and DHT origin is evidence of partial re-encoding.
C2PA Cryptographic Validation Coming Soon Images & Video
Goes beyond detecting a C2PA manifest to cryptographically verifying the signature chain. A manifest can be copied from a genuine file into a forged one — only signature verification using the issuer's public key proves the manifest is authentic and covers the actual file content via the bound hash.
3. Manipulation
Statistical, frequency-domain, and bitstream analysis for signs of pixel editing, compositing, re-encoding, or timeline modification.
Error Level Analysis (ELA) Images
Re-compresses the image at a known quality and measures per-pixel differences. Authentic JPEG images show uniform error across the frame; modified regions compress differently from the surrounding original and appear as bright artefacts on the ELA map.
Histogram Gap Analysis Images & Video
Analyses the colour/luminance distribution. Brightness or contrast adjustments, and re-saves at different quality, leave characteristic zero-bins ("gaps") or comb patterns in the histogram. A continuous histogram is expected from a camera original; gaps indicate processing steps.
Double JPEG Compression Probe Images
Analyses the re-compression error curve across multiple quality factors. When a JPEG is edited and re-saved, a statistical ghost of the original quality factor appears in the error curve — a robust signal that survives even substantial image modifications.
JPEG Ghost — Prior Save Quality Images
Sweeps every potential quality factor (1–100) and computes the residual error at each step. A sharp minimum in the error curve identifies the exact quality factor at which the image was originally compressed — even if it has since been re-saved at a different quality.
Clone / Copy-Move Detection Images
Searches for regions that are identical or near-identical to other regions within the same image. Clone-stamp, healing brush, and content-aware fill operations all leave mathematically similar blocks. The detection works even if cloned regions have been slightly blurred or colour-shifted.
Resampling & Interpolation Detection Images
Resampling introduces periodic correlations between neighbouring pixels that leave a detectable frequency-domain pattern. Analysing these correlations identifies up-scaled or rotated images masquerading as high-resolution originals, or composited regions at a different scale.
Thumbnail vs Main Image Mismatch Images
Compares the embedded EXIF thumbnail to the main image pixel content. When a main image is replaced (e.g., a different photo swapped in while retaining the original metadata), the thumbnail retains the original and mismatches the main — a definitive forgery signal.
Metadata Field Consistency Cross-Check Images
Compares metadata fields that should agree: EXIF vs XMP timestamps, GPS timezone vs datetime offset, orientation tag vs image dimensions, flash tag vs focal length. Each inconsistency indicates a field was edited independently of others — a pattern not produced by cameras.
Orientation & Flash Tag Consistency Images
The orientation tag should agree with image dimensions (a portrait image should have portrait orientation). The flash tag should be plausible for the reported focal length and exposure values. Metadata editors that change one field without updating related fields leave detectable inconsistencies.
GOP (Group of Pictures) Structure Analysis Video
Analyses the keyframe (I-frame) interval distribution. Camera-encoded video has a consistent, regular GOP structure. Edited videos often have irregular intervals, broken GOPs at splice points, or atypical keyframe spacing produced by re-encoding tools. Measures standard deviation of GOP size as a quantified irregularity score.
Inter-frame Tampering — Spike Analysis Video
Measures the statistical difference (MSE) between adjacent sampled frames across the video. Authentic footage shows a gradual, continuous change. Tampered videos show abrupt "spikes" at edit points where two non-contiguous segments have been joined. Spike count and magnitude determine the verdict severity.
Frame Duplication & Freeze Detection Video
Searches for duplicate or near-duplicate frames using perceptual hashing (pHash). In natural footage, consecutive frames always differ. Frozen frames — where content is repeated — are produced by frame insertion, conversion artefacts, or deliberate duplication to cover for removed content.
Audio Codec & Sample Rate Forensics Video
Analyses audio track metadata from MP4 (stsd box) and MKV track headers without decoding the audio stream. Consumer cameras universally record at 48 kHz; a 44.1 kHz sample rate is the CD and music studio standard and strongly indicates the audio was replaced after capture. Dolby Digital (AC-3/E-AC-3) is a broadcast distribution codec not written by consumer cameras. Opus audio inside an MP4 container indicates re-muxing with an internet-streaming or VoIP tool.
Edit List (elst) Analysis Video
Parses the internal Edit List atom (elst) in MP4/MOV containers, which instructs players to skip or delay media data. Multiple edit segments with non-zero media offsets indicate the video was assembled from non-contiguous portions of the original stream — strong evidence of trimming or splicing.
AVI Header Integrity Checks Video
The AVI main header (avih) stream count and frame rate must match the actual strl stream blocks and per-stream strh rate. A mismatch reveals partial re-muxing, truncation, or two-tool editing. The ICRD creation date in the INFO block is extracted and compared with filesystem metadata.
HDR Metadata as Tampering Signal Video (MKV/WebM)
Parses ColourPrimaries, TransferCharacteristics (PQ/HLG), MaxCLL, and MaxFALL from MKV and WebM video tracks. HDR10 metadata in a VP8 stream is physically impossible — VP8 predates HDR colour models. SDR characteristics paired with SMPTE ST 2086 mastering data is equally invalid and signals a professional post-processing pipeline.
Anti-Forensics Detection Images
Identifies files that have been processed by metadata-stripping tools to remove forensic evidence. Recognises patterns left by MAT2 (Metadata Anonymisation Toolkit), ExifTool batch-stripping (near-empty XMP envelopes, APP1 blocks under 100 bytes), JFIF and EXIF marker coexistence that indicates metadata re-writing, and complete metadata absence in PNG files that typically carry software signatures. Also detects reset-timestamp patterns where all date fields are identical — a common artefact of timestamp-wiping tools.
Noise Inconsistency Detection Images
Analyses the sensor noise field of the image using 3-level db8 wavelet decomposition. Authentic photographs have a spatially uniform noise profile from a single sensor. Composited images contain regions from different sources and show localised noise inconsistencies — measured by the coefficient of variation of per-region MAD estimates across the finest-scale diagonal subband.
Printer Artifact Detection (FFT) Images
Applies 2D FFT analysis to detect the periodic halftone pattern introduced by inkjet and laser printing. A printed and re-scanned image shows a characteristic frequency-domain peak in the radial power spectrum from the printer dot matrix — absent in purely digital images. The peak-to-mean ratio of the azimuthally-averaged spectrum is measured against a threshold.
NSS Benford Analysis Images
Natural Scene Statistics (NSS) predict that the leading digits of JPEG 8×8 block DCT AC coefficients follow Benford’s Law (Benford 1938). Heavily processed or synthetic images deviate from the expected digit distribution. A chi-squared test against the expected Benford probabilities (8 degrees of freedom) measures the deviation across all blocks.
JPEG Block Grid Alignment Images
JPEG compression divides the image into an 8×8 pixel block grid anchored at the top-left corner. When a region from a different image is pasted in — or when the image has been cropped to a non-8-pixel boundary — its block grid is offset relative to the background. Detecting this misalignment reveals splice boundaries even when visual editing is seamless.
Audio Track Anomaly Detection Video
Examines the audio track codec and sample rate reported in the container metadata. Consumer cameras record in AAC or PCM at 48 kHz. Cinema-grade codecs (AC-3, E-AC-3) and unusual container pairings (Opus in MP4) indicate post-production replacement. A 44.1 kHz sample rate (CD / studio standard) is characteristic of audio that was recorded outside the camera and added in editing.
Audio Splice & Discontinuity Detection Coming Soon Video
Analyses the audio waveform for abrupt energy changes, phase discontinuities, and background noise inconsistencies that indicate edit points in the audio track. Audio splicing is often used to fabricate conversations or remove incriminating content while keeping the video track intact.
4. Security
Hidden data channels, steganographic payloads, and concealed embedded content that exist outside standard metadata blocks.
LSB Steganography Detection Images
LSB (Least Significant Bit) steganography encodes a payload by modifying the least significant bits of pixel colour channels — changes invisible to the human eye. Statistical analysis of bit-plane distributions, chi-square tests, and RS (Regular/Singular) analysis detect the bias introduced by hidden payloads.
Digital Watermark Detection Images & Video
Runs a perceptual watermark detector looking for signatures of common invisible watermarking systems (StegaStamp, Stable Signature, and commercial SD watermarking schemes used by Adobe, Shutterstock, and other stock platforms). Invisible watermarks can uniquely identify the original licensee even after heavy editing.
Polyglot / Hidden Archive Detection Images
A polyglot file is crafted to be parsed as two different formats simultaneously — the classic example is a JPEG that is also a valid ZIP archive (and can contain any payload). This technique is used to bypass file-type filters. Tests for JPEG+ZIP, JPEG+PDF, PNG+ZIP, and other common polyglot combinations by checking for valid secondary format headers within the file.
Trailing Data (Overlay) Detection Images
Checks for data appended after the standard End-Of-Image marker (FFD9 for JPEG, IEND for PNG). This technique — used to conceal ZIP archives, PDFs, executables, and other files — is the simplest form of image-based data hiding. The appended data is typically invisible to image viewers but accessible to file utilities.
Free / Skip / Wide Box Detection Video
free, skip, and wide boxes in the MP4/MOV container are reserved for padding but can be used to embed arbitrary data within a valid video file. Their content is ignored by all players. Unlike trailing data, this technique hides the payload inside the container structure itself.
DRM & Encrypted Track Detection Video
Identifies internal encryption markers in MP4 (pssh boxes, sinf/schm/schi scheme atoms) and MKV (ContentEncoding with Encryption type). Reports the specific DRM system detected: Widevine, PlayReady, FairPlay, or generic encryption. DRM-packaged content cannot have originated directly from a camera.
MKV Attachments Detection Video (MKV)
The Matroska container allows an Attachments element that can carry any file type — fonts, thumbnails, documents, or arbitrary data. Unlike standard metadata, attachments can be large and are not rendered by video players, making them a covert data channel. WebM explicitly prohibits attachments; their presence in a WebM file is also a schema violation.
Binary String Extraction Images
Scans the JPEG binary data before the Start-Of-Scan marker for printable ASCII sequences matching URLs, email addresses, filesystem paths, and IP addresses — content unlikely to appear in genuine camera EXIF and that may indicate embedded payloads, tool attribution, or hidden communication channels.
5. Format & Structure
Container integrity, format-level validation, and informational metadata analysis across image and video formats.
Privacy Category Taxonomy Images & Video
A classification engine that groups thousands of metadata tags into high-level categories — GPS, Device, Tracking, DateTime, Author, Comments, Text, Copyright — ranked by privacy risk severity. Transforms raw tag dumps into a prioritised privacy audit with plain-language risk explanations for each category.
Advanced Forensic Markers & Edit History Images
Deep inspection of high-signal metadata blocks: XMP xmpMM:History records every save operation with timestamps and software versions; Adobe photoshop:ICCProfile reveals colour space conversions; PNG tEXt/iTXt chunks carry software identifiers and creation timestamps that survive format conversion.
Hidden Animation Stream Detection Images
Parses animated image formats to find frames too short for the human eye to see — including GIF frames with delays of ≤10 ms and non-looping frames that appear only once at imperceptible speed. Single-frame GIFs and WebPs that declare animation metadata are flagged for manual inspection.
JPEG XL Repack Detection Images
JXL supports lossless JPEG recompression — the original JPEG bitstream is stored verbatim inside the JXL container. A jbrd box means the submission is a repacked JPEG, not a native JXL capture from a camera. The original JPEG can be reconstructed byte-for-byte from the wrapper, which means any original JPEG forensic signals are preserved inside.
Container Offset Tampering Video (MKV/WebM)
Validates the SeekHead element directory — an internal map that declares the exact byte position of every top-level block. If any declared position doesn't match the actual position in the file, bytes have been inserted, removed, or the file was re-packaged by a tool that didn't update the index.
Mislabelled Container Detection Video (WebM)
WebM is a strict subset of Matroska — only VP8, VP9, or AV1 video and Vorbis or Opus audio, with no Chapters or Attachments elements. A file declaring DocType=webm but containing Matroska-only content was relabelled after creation, either by a re-mux tool or deliberately.
Document Steganography & Extraction Coming Soon
PDF and DOCX containers embed images and videos verbatim as binary streams. Deep inspection surfaces every embedded media stream and runs the full forensic pipeline on each one. PDF also has a structural steganography surface — hidden objects, unused cross-reference entries, and incremental update layers that survive standard viewers.
Frequently Asked Questions
Technical questions about how the forensic analysis checks work.
Ready to analyse your media?
Start your deep analysis now and expose what's hidden.
Analyse Photos » Analyse Videos »Want to protect your media after analysing it?
Hide & Conceal with Vaultify → Learn more about Vaultify →