Forensic field glossary

What this page is for

When ExistBefore extracts metadata from a file, the result is a list of technical fields: dateTimeOriginal, producer, exifByteOrder, and so on. This glossary explains, in plain language, what each field reveals to a forensic analyst — and which combinations are integrity signals worth investigating.

Catalog version: existbefore-rationale-v2. Each entry has a stable anchor (#field-name) so the in-app tooltips, the PDF certificate footer, and external tooling can deep-link to it. Catalog parity with the canonical metadata catalog (existbefore-metadiff-v1) is verified at build time.

The absence of a finding is not proof of authenticity. These fields document evidence; they do not issue verdicts.

File basics

File size sizeBytes: Total file size in bytes as observed by the browser. Cross-references with declared content (page count, dimensions, duration) to flag truncated or padded files; a size that disagrees with prior revisions of the same logical document signals re-encoding or content drift.
MIME type mimeType: Internet media type declared for the file (e.g. image/jpeg, application/pdf). Used together with the raw header (first 64 bytes) to detect MIME-spoofing attacks (see F19), where a hostile file claims one type while its bytes match another.

Capture & device

Capture timestamp dateTimeOriginal: The exact moment the camera firmware recorded the photo. Cameras write this once, at capture, and editors typically preserve it. Mismatch with file system timestamps or with XMP/IPTC dates is a strong forensic signal.
EXIF digitization timestamp dateTimeDigitized: Moment the analog source (film, scanner) was converted to digital, or — for native-digital captures — the moment the camera firmware finalized the image. For digital cameras it usually equals dateTimeOriginal; large divergence is a strong signal of post-capture manipulation.
EXIF file timestamp dateTime: Last modification timestamp written into the EXIF header (often by an editor on save). Distinct from dateTimeOriginal, which records the capture moment. A file timestamp newer than the capture timestamp is normal for edited files; the inverse is logically impossible (see F03).
Camera vendor make: Vendor declared by the camera firmware. Combined with model and EXIF byte order, it fingerprints the device. A vendor that disagrees with the EXIF byte order it normally writes (see F21) suggests the EXIF block was re-encoded or the field was forged.
Camera model model: Model declared by the camera firmware. Cross-references with vendor and known capture defaults; useful in chain-of-custody analysis when comparing several photos that should come from the same device.
Last writing application software: Application that wrote the EXIF block. Camera firmware names (e.g. "Apple iOS 17.5") indicate an unedited capture; image editor names (Photoshop, Lightroom, GIMP, Affinity) indicate a derivative work. Disagreement with XMP creator tool signals a multi-tool chain of custody.
XMP creator tool xmpCreatorTool: Application that wrote the XMP block. Usually the editor that last saved the file. Independent of the EXIF software field; comparing the two reveals whether a single tool or a chain of tools touched the file (see F20).
EXIF byte order exifByteOrder: EXIF blocks are tagged either little-endian (Intel, II) or big-endian (Motorola, MM). Each camera vendor has a stable native order. Disagreement between the byte order and the claimed vendor (see F21) is consistent with downstream re-encoding or a forged Make field.
EXIF orientation flag orientation: How the image should be rotated/mirrored for display, written by the camera based on the gravity sensor at capture. Cosmetic rather than forensic, but a value that disagrees with the visible orientation may indicate a re-saved file whose pixels were rotated without updating the flag.
EXIF flash status flash: Whether the camera flash fired at capture, and how (auto, forced, suppressed, red-eye reduction). Combined with exposure parameters, it documents lighting conditions; a flash-fired flag on a brightly-lit outdoor scene is unusual but not by itself indicative of tampering.
EXIF white balance mode whiteBalance: Auto vs manual white-balance setting at capture. A capture parameter for forensic completeness; useful when comparing several photos from the same alleged session to confirm consistent camera configuration.
EXIF exposure mode exposureMode: Auto vs manual exposure setting at capture. A capture parameter for forensic completeness; combined with ISO, aperture, and shutter speed it characterizes how the camera was configured at the moment of capture.
EXIF ISO sensitivity iso: Sensor sensitivity setting at capture (e.g. 100, 800, 6400). Capture parameter; cross-references with shutter speed and aperture to validate consistency. Editors that strip and re-write the EXIF block sometimes lose this value.
EXIF f-number (aperture) fNumber: Lens aperture at capture (e.g. f/2.8, f/8). Capture parameter recorded by the camera; useful in chain-of-custody analysis when comparing photos that should come from the same lens or session.
EXIF exposure time (shutter speed) exposureTime: Shutter speed at capture (e.g. 1/250 s). Capture parameter recorded by the camera; combined with f-number, ISO, and focal length it forms the exposure triangle visible in image-EXIF cross-checks.
EXIF focal length focalLength: Lens focal length at capture, in millimetres of the sensor's native format. Useful when verifying the lens used; an abrupt change between consecutive frames of a single session is unusual but not by itself a tampering signal.
EXIF lens model lensModel: Manufacturer-declared lens identifier (e.g. "EF24-70mm f/2.8L II USM"). Cross-references with focal length and aperture range; a lens that does not exist or is incompatible with the declared camera body is a strong tampering signal.
EXIF color space colorSpace: Color profile assigned by the camera or editor (sRGB, Adobe RGB, ProPhoto). Forensically informational; an unexpected color space (e.g. ProPhoto on a smartphone capture) is consistent with a desktop-editor round-trip.
IPTC capture date iptcDateCreated: Capture date stored in the IPTC IIM block, often used by photo agencies and newsrooms. Mismatch with EXIF DateTimeOriginal beyond 24 hours (see F01) suggests manual editing or partial metadata rewrite.
XMP create date xmpCreateDate: Creation date stored in the Adobe XMP block. Mismatch with EXIF DateTimeOriginal beyond 24 hours (see F02) is a re-encoding or tampering signal.
XMP edit history xmpHistory: Chain of edit actions recorded by Adobe-compatible tools. Useful provenance signal — its presence is not a tampering indicator by itself, but it documents what was done to the file and when.

Editorial metadata (IPTC)

IPTC headline iptcTitle: Short headline written into the IPTC IIM block, often added by photo agencies and editorial workflows. Mismatch with XMP title (see F20) signals a multi-tool chain of custody where each tool wrote into its own metadata block.
IPTC caption iptcCaption: Long-form caption from the IPTC IIM block, typical of newsroom and stock-photo workflows. Its presence indicates a curated/published image rather than a raw camera capture.
IPTC keywords iptcKeywords: Keyword tags from the IPTC IIM block, used by digital asset management systems for search and categorization. Their presence signals a managed editorial workflow; absence is normal for camera originals.
IPTC author / by-line iptcAuthor: Photographer or author credit from the IPTC IIM block (the "by-line" field). Cross-references with XMP creator and EXIF author; disagreement signals a multi-tool chain of custody or a delegated re-export.
IPTC copyright notice iptcCopyright: Copyright string written into the IPTC IIM block, often added at editorial export. Independent of XMP copyright; the two should usually agree, and disagreement may indicate a partial re-write of the metadata blocks.
IPTC credit line iptcCredit: Credit line (e.g. "Photo: Reuters / Joe Smith") from the IPTC IIM block. Editorial provenance signal; useful in fact-checking workflows when verifying the claimed source of an image.
IPTC source iptcSource: Original source/agency identifier from the IPTC IIM block (distinct from the credit line). Editorial provenance signal; disagreement with the credit line is unusual and worth noting.
IPTC city iptcCity: City of capture from the IPTC IIM block, typically added in editorial post-processing. Privacy-sensitive location signal; cross-references with GPS coordinates and a divergence is a strong indicator of metadata editing.
IPTC state / province iptcState: State or province of capture from the IPTC IIM block. Privacy-sensitive location signal; combined with city and country it gives a coarse geographic claim that should be consistent with GPS when both are present.
IPTC country iptcCountry: Country of capture from the IPTC IIM block, typically a 2-letter ISO code or full name. Privacy-sensitive location signal; cross-references with GPS coordinates to validate the claimed geographic context.

XMP metadata

XMP creator xmpCreator: Photographer or author credit from the XMP block (Dublin Core dc:creator). Independent of IPTC author and EXIF artist; the three usually agree on a camera original and may legitimately diverge on a multi-tool edited file.
XMP modify date xmpModifyDate: Last modification timestamp from the XMP block. Distinct from xmpCreateDate and from EXIF dateTime; mismatch with the file system modification date can indicate the file was metadata-edited without rewriting the bytes.
XMP rating (1–5 stars) xmpRating: User rating from 1 to 5 stars (or -1 for rejected) from the XMP block. Indicates the file passed through a digital asset management workflow; cosmetic rather than forensic, but its presence rules out a raw camera capture.
XMP color label xmpLabel: User-assigned color label (e.g. "Red", "Green") from the XMP block. Used by Lightroom and similar DAM tools to mark workflow status. Indicates the file passed through such a workflow.

Location

GPS coordinates gps: Latitude and longitude embedded in the EXIF GPS block. High-fidelity location data — consider whether to publish the file with these still embedded (the "Include GPS" toggle removes them from the certificate; see F15).
GPS date stamp gpsDateStamp: Day-precision UTC date associated with the GPS fix. When it disagrees with EXIF DateTimeOriginal beyond 24 hours (see F17), GPS may have been injected after capture or the EXIF date may have been rewritten in isolation.

PDF documents

Page count pages: Number of pages in the document. Useful as a baseline integrity check: a page count that disagrees with what you expect to receive can indicate a swapped file.
PDF version pdfVersion: PDF specification version declared in the file header (e.g. "1.4", "1.7", "2.0"). Useful for reader compatibility; a version that disagrees with the producer's expected output may indicate a re-save through a non-default toolchain.
PDF producer producer: Library that wrote the PDF bytes. Distinct from the creator (the application that originated the content). Examples: "Adobe PDF Library 17.0", "Skia/PDF m120". Sudden changes between revisions of the same document indicate a re-save through a different toolchain.
PDF creator creator: Application that originated the PDF content. Examples: "Microsoft Word", "LibreOffice", "Pages". A creator that disagrees with the producer is normal (Word generated, then re-saved by Acrobat) but worth noting in chain-of-custody analysis.
PDF author author: Document author from the PDF Info dictionary. Self-declared and trivially editable; useful as a chain-of-custody hint but never as proof of authorship. Often left as "Unknown" or the system username of the machine that exported the PDF.
PDF title title: Document title from the PDF Info dictionary. Often defaults to the filename of the source document; an empty or system-default title is normal, while a custom title indicates the author actively set it during export.
PDF subject subject: Document subject from the PDF Info dictionary (a short summary of contents). Rarely populated; its presence indicates the author actively used document properties during export.
PDF keywords keywords: Comma-separated keyword list from the PDF Info dictionary. ExistBefore certificates also store machine-readable structured data here ("existbefore-pdf-meta-vN"); their absence on a real-world PDF is normal.
PDF creation date creationDate: Timestamp the document creator wrote into the PDF Info dictionary. Not signed; trivial to back-date. Useful as a self-declared anchor only — combine with the ExistBefore attestation timestamp for trustworthy temporal evidence.
PDF modification date modificationDate: Timestamp of the last save. When this precedes the creation date (see F03), the metadata is logically impossible and has been forged or reset.
PDF encryption encryption: Indicates the PDF is protected by a password, an owner permission, or a DRM scheme. Informational signal only; encrypted PDFs may still have all the forensic anomalies of unencrypted ones.
PDF fast-web-view (linearized) linearized: Linearized PDFs are reorganized so the first page can be displayed before the entire file is downloaded. Common in web-served PDFs; absence is normal for PDFs produced by office suites.
PDF embedded JavaScript javascript: Whether the PDF contains active JavaScript (forms, animations, dynamic behaviour). A security and authorship signal: static documents rarely need JavaScript, and its presence (see F07) warrants inspection in a sandboxed reader.
PDF embedded files embeddedFiles: Whether the PDF carries other files inside (attachments, source data). Common in technical documents that bundle their source spreadsheet; their presence (see F09) warrants inspection because attachments can carry executables or sensitive data.
PDF form fields formFields: Whether the PDF includes interactive AcroForm or XFA form fields. Indicates a form/template document rather than a static report; cosmetic rather than forensic, but useful when verifying the document type.
PDF annotations annotations: Whether the PDF has annotations (sticky notes, highlights, ink, comments). Indicates the file went through an annotation/review workflow after creation; cosmetic rather than forensic but useful chain-of-custody context.
PDF incremental updates incrementalUpdates: Whether the PDF carries one or more incremental updates (revisions appended to the original bytes). Their presence (see F08) means the file was modified after initial creation and the previous revision is recoverable from the byte stream.

Media (audio & video)

Media duration duration: Total playback duration of the media file (audio or video) in seconds. Useful as a baseline integrity check: a duration that disagrees with the expected content length may indicate a truncated or extended file.
Media codec codec: Compression scheme used by the media file (e.g. H.264, H.265, AAC, Opus). Useful when verifying the toolchain that produced the file; an unusual codec for the declared device is consistent with a re-encoding step.
Video codec videoCodec: Video stream compression scheme (e.g. H.264 / AVC, H.265 / HEVC, AV1, VP9). Independent of the audio codec; abrupt changes between segments of a single source file are consistent with a re-encoding chain.
Audio codec audioCodec: Audio stream compression scheme (e.g. AAC, Opus, MP3, FLAC). Independent of the video codec; useful when validating that an audio-video file came from the expected toolchain.
Video framerate framerate: Frames per second of the video stream (e.g. 24, 25, 29.97, 60). Capture parameter recorded at encoding time; cross-references with the declared device to validate that the framerate is one the device natively supports.
Media bitrate bitrate: Average bitrate of the media stream in bits per second. Useful as a quality/compression indicator; a bitrate that disagrees with the declared codec preset can indicate a re-encoding step that changed the quality envelope.
Video rotation rotation: Display rotation flag for the video stream (0°, 90°, 180°, 270°). Written by the device based on its orientation at capture. A value that disagrees with the visible orientation can indicate a re-encode that rotated pixels without updating the flag.
Audio artist artist: Artist tag from the audio file metadata (ID3, Vorbis comment, MP4 atom). Self-declared; useful as a chain-of-custody hint but never as proof of authorship.
Audio album album: Album tag from the audio file metadata. Self-declared; combined with year and track number it characterizes the source publication of the audio file.
Audio year year: Release year tag from the audio file metadata. Self-declared and trivially editable; mismatch with the modification timestamp can indicate the metadata was set after the fact.
Audio copyright notice copyright: Copyright string from the audio file metadata. Self-declared; useful in chain-of-custody analysis when validating the claimed publisher.
Audio comment comment: Free-form comment field from the audio file metadata. Often used by encoders to declare themselves (e.g. "Lavf58.76.100"); useful as a toolchain fingerprint.
Audio sample rate sampleRate: Sample rate of the audio stream in Hertz (e.g. 44100, 48000). Capture parameter; an unusual sample rate for the declared format is consistent with a re-sampling step in the encoding chain.
Audio channel count channels: Number of audio channels (1 = mono, 2 = stereo, 6 = 5.1 surround). Capture parameter; useful when validating that the channel layout matches the expected source recording configuration.
Audio genre genre: Genre tag from the audio file metadata. Self-declared and cosmetic; useful as a chain-of-custody hint but never forensically authoritative.
Audio track number trackNumber: Track number within the album, from the audio file metadata. Self-declared; combined with album and year it characterizes the source publication.
Audio encoder encoder: Software that encoded the audio file (e.g. "LAME 3.100", "libfdk_aac"). Toolchain fingerprint; useful when validating that the encoder matches the expected production workflow.

Office documents

Office revision number revision: Number of times the document has been saved. Revision 1 with thousands of words (see F12) is unusual for authored content and consistent with a paste from another source.
Office total editing time totalTime: Cumulative minutes the document has been open in editing mode. Zero minutes with substantial content (see F11) is consistent with paste-from-external or plagiarized content.
Office word count words: Word count tracked by the office suite. Cross-references with totalTime and revision number to assess whether the editing footprint matches the apparent work product.
Office paragraph count paragraphs: Number of paragraphs tracked by the office suite. Cross-references with word count, total editing time, and revision number to assess whether the editing footprint matches the apparent work product.
Office last-modified-by lastModifiedBy: Username of the account that last saved the document, recorded by the office suite. Privacy-sensitive identity signal; useful in chain-of-custody analysis to determine whether the editor matches the declared author.
Office company company: Organization name configured on the editing machine, embedded by the office suite at save time. A chain-of-custody hint; the value can leak the editor's affiliation even when the visible content is anonymized.
Office manager manager: Manager name configured on the editing machine, embedded by some office suites in document properties. Rarely populated; a chain-of-custody hint when present.
Office creation date created: Timestamp the office suite recorded when the document was first created. Self-declared; trivial to back-date by changing the system clock. Combine with the ExistBefore attestation timestamp for trustworthy temporal evidence.
Office modification date modified: Timestamp of the last save in the office suite. When this precedes the creation date (see F03), the metadata is logically impossible and has been forged or reset.
Office application name application: Name and version of the office suite that wrote the file (e.g. "Microsoft Office Word", "LibreOffice/7.6"). Toolchain fingerprint; useful when verifying that the file is consistent with the declared editing workflow.
Office template template: Path to the template the document was based on (e.g. "Normal.dotm"). Often left as the default; a custom template path can leak the editor's filesystem layout and affiliation.
Office content status contentStatus: Document status declared by the author (e.g. "Draft", "Final", "In review"). Self-declared; useful as a workflow hint but never forensically authoritative.

C2PA Content Credentials

C2PA Content Credentials validation c2paValidation: Result of validating the embedded C2PA Content Credentials manifest. "Valid" means the cryptographic chain checks out for this file. Anything else (see F06) is a stronger negative signal than no manifest at all.
C2PA claim generator c2paClaimGenerator: Software that produced the C2PA Content Credentials manifest (e.g. "Adobe Photoshop 25.1", "Leica M11-P firmware 2.0"). Toolchain fingerprint authenticated by the manifest signature when validation succeeds.
C2PA title c2paTitle: Title declared inside the C2PA Content Credentials manifest (distinct from the file's other title fields). Authenticated by the manifest signature when validation succeeds.
C2PA author c2paAuthor: Author/creator declared inside the C2PA Content Credentials manifest. Authenticated by the manifest signature when validation succeeds; one of the strongest authorship signals available for digital media.
C2PA copyright notice c2paCopyright: Copyright string declared inside the C2PA Content Credentials manifest. Authenticated by the manifest signature when validation succeeds; independent of EXIF / IPTC / XMP copyright fields.
C2PA actions log c2paActions: List of editing actions recorded inside the C2PA Content Credentials manifest (e.g. "c2pa.created", "c2pa.color_adjusted"). Provenance signal authenticated by the manifest signature when validation succeeds.
C2PA signer issuer c2paSignerIssuer: Issuer of the X.509 certificate that signed the C2PA Content Credentials manifest. Identifies the trust anchor for the C2PA chain; useful when verifying the file's signer is in the expected trust list.
C2PA signature time c2paSignatureTime: Timestamp at which the C2PA Content Credentials manifest was signed. Authenticated by the manifest signature when validation succeeds; provides cryptographically-anchored temporal evidence independent of EXIF/XMP/file system dates.

Universal forensic

File header (first 64 bytes) rawHeader: First 64 bytes of the file, hex-encoded. Used to verify that the bytes match the magic-bytes signature for the claimed MIME type (see F19). Universal across file types — extracted at the dispatcher boundary regardless of MIME.

How findings cite glossary entries

The Forensic Integrity Findings rules (F01–F21) reference glossary entries by name. For example, F21 ("device byte order disagreement") cites make and exifByteOrder. Use these anchors when sharing analysis with collaborators or in legal correspondence.

Italian version: glossario campi forensi. See also: how it works, technical overview, FAQ.