Metadata Forensics Toolkit
by Eph at ephemeradev.net, est. 2026, open source
A desktop app that rips the hidden data out of photos and videos, runs forensic analysis, tracks suspects, and builds evidence packages. Video-first. Built for investigators and advocacy communities documenting abuse networks.
The name comes from a palimpsest: a manuscript where the original writing has been scraped off and written over, but traces of the old text remain underneath. Just like metadata. You can try to erase it, but traces often remain.
Built by a mentally ill untrained aegosexual who got tired of watching these networks operate unchecked.
The Cat still supervised.
"Sorrow be damned and all your plans. Fuck the faithful, fuck the committed, the dedicated, the true believers; fuck all the sure and certain people prepared to maim and kill whoever got in their way; fuck every cause that ended in murder and a child screaming."
Iain Banks, Against a Dark Background
v4.1.1 is a hotfix. The file upload progress bars across the entire app were broken in v4.1. The HTML had the outer container for each progress bar but not the inner fill element, so the JavaScript crashed on a null reference before the upload request was ever created. The progress bar showed up, said "Uploading...," and then nothing happened. Every upload path: single file, batch, and AI Vision. Fixed by adding the three missing <div> elements. Also fixed a redundant full-file read during image imports where compute_hashes() was re-computing MD5/SHA-256 that were already computed on the way in.
v4.1 was a polish release. The recolor cleanup ate the interactive tutorial overlay, the GPS map container, and some dashboard placeholders on the way through. v4.1 put them back. The sidebar version badge no longer overflows, the Dashboard tooltip no longer gets clipped by the sidebar's scroll container, and the tutorial walks you page by page again with a proper spotlight. Background forensic work now runs in a thread pool with a semaphore so batch processing 100 videos doesn't spawn 100 ffmpeg processes at once.
The forensic toolkit itself is unchanged from v4.0: ENF, AI Vision, and Metadata Groups all still work the way they did. If you came in for those, here they are.
ENF Analysis
Your power grid snitches on you. Every AC grid in the world runs at either 50Hz (Europe, Asia, Africa, Oceania) or 60Hz (Americas and parts of East Asia), and that frequency gets baked into every recording made near a power source through electromagnetic interference in audio and flicker in indoor lighting. You can strip every byte of metadata and ENF still tells me what continent you're on. Court-accepted forensic science. Welcome to physics being on our side for once.
AI Vision Analysis
Send extracted frames to Claude, GPT, Gemini, or whatever model you want. It picks out power outlet types (Type I plugs narrow your country fast when you're claiming you're in Kansas), visible text and what language it's in, room features, vegetation through windows, lighting fixtures. Shows a cost estimate before running, because surprise API bills are their own kind of violence. Supports Anthropic, OpenAI, Google, OpenRouter, and custom endpoints.
Metadata Groups
Maps the distribution pipeline. Groups all your evidence by comment field, encoder, codec plus resolution plus fps, and file size. Same comment on 701 files? Same encoder? Same exact chain? Congratulations, you just fingerprinted whoever processed the batch. Who recorded, who re-encoded, who distributed. The pipeline has seams and this finds them.
File Analyzer
Drop any video or image. Palimpsest extracts every piece of hidden data: camera model, GPS coordinates, timestamps, editing software, hashes, codec info, all of it. Simple Mode explains each field in plain English. Advanced Mode shows the raw technical data. No file size limit.
Video-First Design
Videos are the primary material. Full H.264 transcoding through ffmpeg for universal playback of any format you throw at it (MP4, AVI, MOV, MKV, WebM, MTS, etc.), automatic frame extraction, frame-by-frame stepping. Videos are not second-class citizens here.
Forensic Video Player
Zoom up to 32x with mouse wheel, slider, or preset buttons. Drag to pan at any zoom level. Brightness, contrast, saturation, hue rotation, and gamma sliders. Color inversion. Frame-by-frame navigation. Every control works on images too, because sometimes you need to see what's in the dark corner of a frame.
Forensic Suite
Eight analysis modules that go deeper than basic metadata:
β Scene Analysis: Color, brightness, and texture fingerprinting. Finds videos filmed in the same room. β Watermark Detection: Finds channel stamps, bot overlays, and redistribution marks. Reveals the sharing chain. β Encoding Chain Analysis: Estimates whether a file is an original or a re-encoded copy and measures generation loss. β Screen Recording Detection: Tells Telegram screen grabs apart from original camera captures. Checks for status bars, nav bars, phone resolutions. β Lighting Analysis: Natural versus artificial, color temperature, brightness patterns over time. β Audio Fingerprinting: Spectral analysis and energy profiling. Matches videos by ambient sound. Same room means same background noise. β ENF Extraction: Power grid frequency from audio (STFT bandpass) and video luminance (FFT). 50Hz or 60Hz. Geography from physics. β AI Vision: Frame-by-frame analysis through vision models. Outlet types, text, objects, regional clues.
Scene Matching
Cross-references scene fingerprints across your whole evidence library. Same floor tiles, same wall color, same lighting setup? Flagged. Even if the camera angle is completely different.
Audio Matching
Cross-references audio fingerprints. Same ambient hum, same background noise profile. Connects videos to the same physical location through sound.
ENF Matching
Cross-references ENF traces. Same grid frequency, same fluctuation pattern, same power grid. Maybe the same time. The grid doesn't care about your VPN.
AI Vision Analysis
Pick an evidence item, see the cost estimate, click go. Each extracted frame is sent to your configured AI provider with a forensic prompt. Results come back structured: outlet type, visible text, language, room features, lighting, objects, vegetation, region estimate, confidence score. Stored per-frame, viewable any time.
Metadata Groups
Four grouping modes: comment field (same recording tool), encoder (same encoding software), codec plus resolution plus fps (same batch processing), file size range (same parameters). Reveals the production and distribution pipeline behind a content network.
Multi-Algorithm Hashing
MD5 and SHA-256 for exact identity. pHash, dHash, wHash, and aHash for visual fingerprints. Perceptual hashes survive re-encoding, cropping, and compression, so you can track the same content across platforms even after re-upload.
Batch Processing
Got a folder of 700 files from an IPFS dump? Drop them all in. Each one gets fully analyzed, hashed, thumbnailed, and frame-extracted, and you can link them all to a suspect at once. BG_SEMAPHORE keeps Palimpsest from spawning 700 ffmpeg processes and turning your machine into a space heater.
Suspect Management
Create profiles with names, aliases, platform info, threat levels, and typed identifiers (Telegram handles, crypto wallets, emails, phone numbers, Discord tags). Link evidence to suspects and build case files.
5 Export Formats
β JSON: Machine-readable, importable into another Palimpsest instance. β PDF: Formatted evidence report for law enforcement handoff. β CSV: Opens in Excel or Google Sheets, shareable with anyone. β HTML: Standalone dark-themed report, opens in any browser, no software needed. β Markdown: Clean text, paste into Discord, docs, or GitHub.
All filterable by suspect.
Import
Load evidence from someone else's Palimpsest JSON export into your own instance. Suspects come along. Duplicates (same SHA-256) are skipped automatically. This is how your team shares data.
Side-by-Side Comparison
Pick any two evidence items. Palimpsest checks for the same camera, same location, same date, same codec, same resolution, and visual similarity.
Duplicate Detection
Exact copies (matching SHA-256) and near-duplicates (visually similar via perceptual hashing). Works across both videos and images. Finds re-uploads.
Timeline
All dated evidence sorted chronologically. Useful for establishing event sequences and activity patterns.
GPS Map
Files with embedded GPS coordinates plotted on an interactive map. Click markers for details.
Interactive Tutorial
A sixteen-step walkthrough that takes you through the entire app, plus a written Help page if you'd rather read.
Tooltips Everywhere
Hover over more or less anything for an explanation. Designed to be usable by people who have never touched forensic software before.
No File Size Limit
It's your machine. Your rules.
One Developer, One Cat
Pure Python, no external DLLs, and a healthy amount of anger pointed at the right things.
Go to Releases, download the zip, extract, double-click Palimpsest.exe. Done.
The exe bundles everything including ffmpeg. Nothing else to install. Three files total: Palimpsest.exe, palimpsest_ui.html, palimpsest_icon.ico.
-
Install Python 3.10+ from python.org.
Check "Add Python to PATH" during install. I will not troubleshoot this for you.
-
Install dependencies:
pip install -r requirements.txt -
Install ffmpeg from ffmpeg.org and add it to PATH. Needed for audio forensics and ENF analysis.
-
Run it:
python palimpsest.py -
Opens in your browser at
http://127.0.0.1:7700.
-
Do Option B first to make sure it works.
-
Run the build script:
build.bat -
Your exe lands in
dist/. Copypalimpsest_ui.htmlandpalimpsest_icon.iconext to it.
If pyinstaller isn't on your PATH and build.bat fails, use the full path:
& "C:\Users\YOU\AppData\Roaming\Python\PythonXXX\Scripts\pyinstaller.exe" ...
PowerShell users: yes, you need the & prefix. No, I will not explain why. Blame Microsoft.
| File | What It Does |
|---|---|
palimpsest.py |
The whole backend. Flask API, metadata extraction, forensic modules, ENF analysis, AI integration, database. |
palimpsest_ui.html |
The whole frontend. Single-page app with the full UI and tutorial. |
palimpsest_icon.ico |
App icon for browser tab, sidebar, taskbar, file explorer. |
requirements.txt |
Python dependencies. All pip-installable. |
build.bat |
One-click Windows exe builder. Bundles ffmpeg. |
README.md |
You're reading it. |
All pip-installable. No external DLLs.
| Package | What It Does |
|---|---|
| Flask | Runs the local web UI |
| Pillow | Image EXIF extraction |
| imagehash | Perceptual hashing (pHash, dHash, wHash, aHash) |
| opencv-python-headless | Video analysis, frame extraction, thumbnails, forensic vision |
| hachoir | Video container metadata (creation dates, codecs, encoder info) |
| numpy | Numerical processing for forensic analysis |
| scipy | Audio spectral analysis, signal processing, ENF extraction |
| reportlab | PDF report generation |
Plus ffmpeg as a separate install from ffmpeg.org, used for audio extraction, video transcoding, and ENF analysis. Bundled into the exe automatically by build.bat.
Scene Analysis
Samples frames throughout a video, builds HSV color histograms, measures brightness profiles and edge density, and generates a texture hash. Scene Matching then cross-references those fingerprints across your library. Same floor, same walls, same light, connected.
Watermark and Overlay Detection
Checks six standard overlay positions (four corners plus top and bottom center) across multiple frames. Consistent high-contrast edges in the same position across the whole video means a channel stamp, bot watermark, or redistribution mark. Reports confidence and consistency percentages.
Encoding Chain Analysis
Calculates bits-per-pixel-per-frame ratios, measures 8x8 block boundary artifacts (the JPEG and H.264 compression grid), and checks for non-standard resolutions and frame rates. Outputs one of: "likely original," "1st-2nd generation," "2nd-3rd generation," or "3rd+ generation (heavily re-encoded)." Originals are the most valuable for investigation.
Screen Recording Detection
Checks resolution against known phone screen sizes, analyzes top and bottom frame strips for status-bar and navigation-bar patterns, and looks at FPS and orientation. Tells Telegram screen grabs apart from original camera captures and outputs a confidence percentage.
Lighting Analysis
Brightness and color temperature over time, visualized. Blue-to-red ratio for the natural-versus-artificial classification. Flags very dark scenes, sharp brightness changes, and unusual color temperatures.
Audio Fingerprinting
Pulls audio through ffmpeg, normalizes to 16kHz mono, then computes spectral centroid, per-second energy profile, and silence percentage. Generates a hash from the energy profile. Audio Matching uses that hash to find videos with the same ambient sound signature.
ENF Extraction
Pulls audio at 8kHz and runs a Short-Time Fourier Transform to isolate energy around 50Hz and 60Hz plus their second harmonics at 100Hz and 120Hz. Computes signal-to-noise ratios against the noise floor between those frequencies. For high-framerate video (50fps and up), it also extracts a luminance FFT to detect AC lighting flicker as corroboration. Outputs the detected frequency, grid region, confidence percentage, source (audio, video, or both), and an ENF trace showing how the frequency fluctuates over time. The power grid is the world's largest unintentional tracking device.
AI Vision Frame Analysis
Reads each extracted frame through a vision model API. The provider abstraction supports Anthropic (Claude Sonnet/Opus 4.5β4.6), OpenAI (GPT 5.2β5.3), Google (Gemini 3.0β3.1 Flash/Pro), OpenRouter, and custom OpenAI-compatible endpoints. Returns structured JSON: outlet type, visible text, text language, room features, lighting type, vegetation, objects, environmental clues, region estimate, confidence score. Shows a cost estimate before running and tracks cumulative spend. Your API key stays local.
Evidence Integrity
Original files are never modified. Palimpsest stores copies and generates previews and thumbnails alongside the originals. Hashes are computed on the original bytes.
Forensic Accuracy
The forensic modules use heuristics. Scene matching, screen recording detection, encoding analysis, and ENF classification are probabilistic, not definitive. They flag connections worth investigating, they don't prove anything on their own. ENF is court-accepted science, but confidence levels vary with recording quality.
No Warranty
This software is provided as-is. It works on my machine. If it breaks on yours, open an issue with details.
Privacy
Palimpsest collects nothing. No telemetry, no analytics, no tracking. Everything stays on your machine, nothing phones home. The one exception: if you use AI Vision analysis, extracted frames go to whichever provider you configured. Your API key is stored locally and only sent to the endpoint you chose. No frames leave your machine without you explicitly clicking "Run AI Analysis."
"What's this for?"
Documenting and investigating abuse networks, specifically organized animal torture operations that share material through Telegram channels and encrypted platforms. The forensic tools are general-purpose though, so use them for whatever needs investigating.
"Why video-first?"
Because the material we're analyzing is primarily video. The metadata, encoding chains, and frame analysis matter more than photo EXIF in this context.
"Can law enforcement use the exports?"
That's the goal. PDF reports are formatted for handoff, JSON exports contain all metadata and hashes in a structured format, and evidence integrity is maintained: originals are untouched and hashes are verified.
"Can my team share data?"
Yes. Export as JSON from one Palimpsest, import into another. Suspects come along for the ride. Duplicates auto-skip by SHA-256. CSV and HTML exports work for people who don't have Palimpsest at all.
"The ENF says indeterminate."
The recording was probably made on battery power away from the grid, or outdoors, or the audio is too noisy for a clean signal. ENF needs electromagnetic interference from nearby power lines or indoor lighting flicker to work. It's physics, not magic. Close though.
"AI Vision analysis is expensive."
That's why there's a cost estimator. Click "Estimate Cost" before running. At 360p with 8 frames per video, most providers run $0.02β$0.08 per video. Gemini Flash is the cheapest. For 700 videos that's $14β$56 total. You can also just run it on the interesting ones.
"The forensics say 'screen recording detected' but it's not."
It's a confidence score, not a verdict. False positives happen. A portrait video at phone-screen resolution with consistent top and bottom strips will trip it. Use it as one signal among many.
"Something is broken."
Open an issue. Include what you were doing, what happened, and what you expected. The Cat will review it with the gravity it deserves.
Website: ephemeradev.net
Project No More: projectnomore.net, the advocacy work this tool supports.
Created by Eph at Ephemera.
Built with the assistance of Claude (Anthropic), who ran the forensic math, built the ENF extraction pipeline, and still didn't flinch at the subject matter.
Mascot: The Cat, who did not QA the progress bars.
MIT License. See LICENSE for details.
Use it. Modify it. Build on it. If it helps take down even one of these networks, that's all that matters.
"She taught the power grid to snitch and honestly? Iconic."