ENF Analysis and Metadata Consistency

Authenticity II: Digital Methods

Two Pillars of Digital Authentication

ENF Analysis = physical truth anchor
- Links the recording to real-world time, place, and grid conditions
Metadata Consistency = digital integrity check
- Verifies the file’s lifecycle from creation to present

Part 1: ENF Analysis

What is ENF?

Electric Network Frequency: the supply frequency of the power grid
Nominally 50 Hz (Europe, Asia, Australia) or 60 Hz (North America)
Fluctuates randomly as operators balance supply and demand
Fluctuations are unique to a specific time and consistent across an entire grid

Why Does ENF Fluctuate?

How ENF Enters Audio Recordings

Pathway	How it works
Electromagnetic induction	Mains hum induced into audio circuitry or cables
Acoustic coupling	Microphone picks up hum from transformers/motors
Direct connection	ENF enters through wall outlet power supply

The ENF Extraction Pipeline

Step 1: Decimation

Audio recorded at high rates (e.g., 44.1 kHz) but ENF is low-frequency
Downsample to ~300–400 Hz to focus on the band of interest
Apply anti-aliasing FIR low-pass filter before decimation
Reduces computational load dramatically

Step 2: Bandpass Filter

Isolate the nominal frequency range (e.g., 49.5–50.5 Hz for a 50 Hz grid)
Sharp FIR bandpass filter removes everything outside this narrow band
What remains: the ENF signal plus any noise in that frequency range

Step 3: STFT Analysis

Divide signal into overlapping frames (typically 8–16 seconds)
Apply a window function (Hann or Blackman-Tukey) to each frame
Compute FFT for each frame to find the dominant frequency
Zero-padding (often 4×) improves frequency resolution

Resolution vs. Frame Length Tradeoff

Longer frames (16–32 sec): better frequency resolution, poor time resolution
Shorter frames (1–2 sec): capture sudden changes, but frequency “blurring”
This is the Heisenberg uncertainty principle applied to signal processing
Typical forensic choice: 8–16 second frames as a compromise

This tradeoff is often called the “uncertainty principle” of signal processing because it’s mathematically analogous to Heisenberg’s uncertainty principle in quantum mechanics
In quantum physics, you can’t simultaneously know a particle’s exact position and exact momentum — the more precisely you measure one, the less precisely you can know the other. The product of their uncertainties has a lower bound: Δx · Δp ≥ ℏ/2
In signal processing, the same mathematical relationship applies to time and frequency: Δt · Δf ≥ 1. The product of your time resolution and frequency resolution can never be smaller than 1. If you want frequency bins spaced 0.1 Hz apart (Δf = 0.1), you need at least a 10-second window (Δt = 10). There’s no windowing trick or algorithm that can beat this limit.
This isn’t just an analogy — both constraints arise from the same underlying mathematics of Fourier transforms. A signal that is compact in time must be spread out in frequency, and vice versa.
Concrete example: A 16-second frame at 400 Hz sample rate gives frequency bins spaced ~0.06 Hz apart — enough to resolve subtle ENF fluctuations like 49.97 Hz vs. 50.03 Hz. But if the recording was edited at the 10-second mark, you can’t pinpoint when — the edit is somewhere within that 16-second window.
A 1-second frame gives bins spaced 1 Hz apart — far too coarse to distinguish those same frequencies, but you’d know exactly when something changed.
Forensic analysts typically choose 8–16 second frames as a practical compromise
The exact choice depends on the application: authentication needs fine frequency resolution; tampering detection may need better time resolution to spot edits
Source: Hua, Guang, Guoan Bi, and Vrizlynn L. L. Thing. “On Practical Issues of ENF Based Audio Forensics.” IEEE Access 5 (2017): 20640–20651.

Step 4: Peak Detection and Interpolation

Find the highest-magnitude FFT bin in each frame — this is the ENF estimate
True frequency usually falls between bins
Quadratic interpolation (QIFFT) refines the peak to sub-bin precision
Concatenate all frame estimates → the ENF trace

ENF Trace Example

Beyond STFT: Parametric Methods

MUSIC: eigendecomposition of autocorrelation matrix; exhaustive spectral search
ESPRIT: uses rotational invariance; faster and more robust than MUSIC
Both offer higher resolution than STFT but assume a signal model
STFT remains the standard for most forensic work

STFT is the workhorse, but parametric methods can offer better frequency resolution
MUSIC (Multiple Signal Classification) separates the signal into signal and noise subspaces using eigendecomposition
It then searches across all frequencies to find where the signal subspace projects — computationally expensive
ESPRIT (Estimation of Signal Parameters via Rotational Invariance Techniques) finds frequency directly through phase shifts — faster and more robust to model mismatches
In practice, STFT is still preferred for most forensic work because it makes fewer assumptions and is well-understood by courts
Source: Bykhovsky, D., and A. Cohen. “ENF Maximum-Likelihood Estimation via a Multitone Harmonic Model.” IEEE Transactions on Information Forensics and Security 8, no. 5 (2013): 744–753.

ENF Harmonics

The fundamental (50/60 Hz) may be filtered out by communication systems (>300 Hz cutoff)
Harmonics at 100, 150, 200 Hz etc. can survive
Multi-Harmonic Combining (MHC): analyze multiple harmonics for better robustness
Some systems examine up to the 116th harmonic

ENF Reference Databases

Database	Access
FNET/GridEye	Public
ENF-WHU Dataset	Open source
Power IT Lab	Academic
MAST@UMD ENF	Academic

Reference databases are the “ground truth” for forensic comparisons — without them, ENF analysis can detect tampering but cannot determine time-of-recording
FNET/GridEye (University of Tennessee / Oak Ridge National Lab): uses 300+ GPS-synchronized Frequency Disturbance Recorders (FDRs) that measure grid frequency at ordinary wall outlets with accuracy within ± 0.0005 Hz. Collects 4+ GB of phasor data per day. Covers the three major North American grids and 16 of the largest grids worldwide.
ENF-WHU Dataset: open-source dataset of audio recordings with matched ENF ground truth, useful for testing and benchmarking ENF extraction algorithms
Law enforcement agencies also maintain their own databases (e.g., UK Metropolitan Police has recorded mains frequency continuously since 2005)
Typical setup for recording a reference database: step-down transformer reduces mains voltage (e.g., 240V → 18V), a voltage divider brings it within sound card input range, GPS synchronization provides precise timestamps, and the system records continuously
Stored as time-stamped frequency logs, typically one ENF sample per second
Source: Grigoras, Catalin. “Digital Audio Recording Analysis: The ENF Criterion.” International Journal of Speech Language and the Law 12, no. 1 (2005): 63–76.

Authentication: Matching Against the Database

Extract ENF trace from the recording
Normalize both trace and reference to zero mean, unit variance
Slide the trace across the reference database sample by sample
Measure similarity with correlation coefficient or MMSE

When is a Match Statistically Significant?

Grids have daily cycles (morning surges repeat) creating self-similarity
A Monday morning pattern may randomly resemble another Monday
Recordings <10 minutes are highly susceptible to false positives
SNR is critical: low SNR causes rapid increase in matching errors

Not every correlation peak is a true match — you need statistical significance
Power grids have recurring patterns: weekday mornings tend to look similar because of similar demand patterns
This “self-similarity” means short traces may match multiple points in the database equally well
Recordings under 10 minutes are particularly vulnerable — there simply isn’t enough random variation to be unique
Signal-to-noise ratio matters enormously: once SNR drops below a threshold, matching errors increase rapidly
This is why ENF alone isn’t always enough — you need metadata as a second line of evidence
Source: Pop, Gheorghe, Dragoş Burileanu, and Şerban Mihalache. “An Evaluative ENF-Based Framework for Forensic Authentication.” Proceedings of the Romanian Academy, Series A 19, no. 4 (2018): 605–612.

Timestamping: The Cracow Case

2003 Poland: disputed recording of two businessmen
Device clock was off by nearly 200 days vs. witness testimony
ENF trace matched the time claimed by witnesses, not the device clock
ENF provided the objective physical evidence to resolve the dispute

Tampering Detection via ENF

Splicing creates discontinuities in the ENF trace
Phase jumps: sudden shifts in wave position (detectable at millisecond level)
Frequency jumps: sudden changes in the ENF value between frames
Natural grid fluctuations are slow and continuous; edits create abrupt breaks

Inserted Clip Example

IMAGE Source: https://www.researchgate.net/figure/ENF-matching-result-demonstrating-the-detection-of-video-tampering-based-on-the-ENF_fig3_221572558
This figure shows how ENF analysis detects a tampered recording by comparing it against a ground truth ENF signal
Top plot: The ENF trace extracted from a recording. The blue line shows the frequency fluctuations over ~960 seconds. Between roughly 320–480 seconds, a segment labeled “Inserted clip” has been spliced in — its ENF pattern doesn’t match the surrounding audio.
Bottom plot: The ground truth ENF signal from the reference database for the same time period
Red arrows and lines: Show the correspondence between the inserted clip in the recording and where that clip actually came from in the ground truth. The red vertical lines connect the splice boundaries in the top plot to matching points in the bottom plot, revealing that the inserted audio originated from a different time.
Green dashed arrows: Show how the authentic portions of the recording (before and after the splice) align with the ground truth signal — these sections match, confirming they are unaltered.
The key insight: the authentic segments correlate well with the reference, but the inserted clip correlates with a different time period — proof of tampering
Dynamic Matching Algorithms (DMA) can auto-correct noise-affected estimates during the sliding correlation process
Source: Hua, Guang, Jonathan Goh, and Vrizlynn L. L. Thing. “A Dynamic Matching Algorithm for Audio Timestamp Identification Using the ENF Criterion.” IEEE Transactions on Information Forensics and Security 9, no. 7 (2014): 1045–1055.

ENF in Video

Artificial lights flicker in sync with the power grid
Flicker occurs at 2× grid frequency (100 Hz or 120 Hz) — both AC half-cycles produce light
Invisible to humans, but captured by camera sensors

ENF for Geolocation

Inter-grid: Which power grid was the recording made on?
- US Eastern, US Western, European grids have independent frequency patterns
Intra-grid: Where within a specific grid?
- Frequency varies slightly by location due to local load conditions

Localization Within a Power Grid

Main ENF fluctuation trends are similar across a power grid, but the high-frequency details differ by location. By high-pass filtering ENF signals, you can isolate these location-specific variations.
The figure shows the correlation between high-passed ENF signals measured at College Park, MD and four other cities in the East US grid. Each point is the correlation coefficient for one time segment.
College Park–Princeton (black, squares): highest correlation (~0.90–0.98) — Princeton, NJ is geographically closest to College Park, MD
College Park–Raleigh (blue, circles): next highest (~0.85–0.90) — Raleigh, NC is moderately close
College Park–Champaign (green, circles): lower (~0.70–0.85) — Champaign, IL is farther away in the Midwest
College Park–Atlanta (red, x’s): lowest (~0.65–0.80) — Atlanta, GA is the farthest city shown
The pattern is clear: correlation drops with geographic distance. Closer locations share more similar high-frequency ENF details, while distant locations diverge.
This means that by comparing a recording’s high-passed ENF signal against reference signals from known locations, analysts can estimate where within a grid the recording was made.

Limitations of ENF Analysis

Weak signal: ENF is often 40–60 dB below primary audio content
Short recordings (<10 min): self-similarity creates false positive risk
In-band interference: voices and music in the 50/60 Hz range corrupt the trace
Clock skew: device clocks drift, complicating alignment

ENF Anti-Forensics: The Threat

Attackers can use a notch filter to erase the original ENF signal
Then re-embed a forged donor signal from a different time/location
Forged signals can achieve correlation scores up to 0.96 — visually convincing

Detecting ENF Forgery

Forged signals leave traces in high-frequency spectral content
Subtle phase inconsistencies where the synthetic tone blends with the audio
Recapturing (playing and re-recording) embeds two overlapping ENF signals
Examiners use decorrelation algorithms and deep learning CNNs to detect these

Part 2: Metadata Consistency

What is Audio Metadata?

Internal metadata: embedded in the file container (headers, encoding info, device tags)
External metadata: maintained by the OS (file system timestamps)
Together they form a digital audit trail of the file’s lifecycle

Metadata Examination Workflow

Acquire and hash: secure the original, create a bit-stream copy, generate MD5/SHA256
Technical assessment: document format, codec, sample rate, bit depth, duration
Global audit: use multiple tools to extract all metadata fields
Exemplar creation: record test files on the same device model for comparison
Local discontinuity check: examine waveform and spectrogram for anomalies

Hash Verification

MD5 or SHA256 hash computed immediately upon acquisition
Creates a unique digital fingerprint of the file’s exact contents
Any change — even a single bit — produces a completely different hash
Piecewise hashing: verify integrity of specific file segments independently

Hex Editor Analysis

IMAGE: Screenshot of a hex editor showing a WAV file’s binary data — left column shows hex values, right column shows ASCII interpretation. Highlight the “RIFF” header at offset 0, “WAVE” identifier, “fmt " chunk, and “data” chunk markers
A hex editor shows the raw binary data of a file as both hexadecimal values and ASCII text
This is the lowest level of analysis — you’re looking at exactly what’s stored in the file
WAV files begin with “RIFF” followed by “WAVE” — these are the magic bytes that identify the format
The “fmt " chunk contains encoding parameters; the “data” chunk contains the actual audio
Different file formats have different header patterns: MP3 often starts with “ID3”, WMA with “0&²”
Source: SWGDE. “Best Practices for Digital Audio Authentication.” Version 1.3, September 2018.

File Headers and Container Formats

WAV: RIFF chunk structure; uncompressed PCM; manufacturer data in custom chunks
MP3: ID3 tags (v1 at end, v2 at beginning); frame-based structure
AAC: Common on smartphones (iPhone default); M4A container
WMA: Microsoft proprietary; ASF container with device-specific metadata

Manufacturer Signatures

Recording devices embed proprietary hex strings in file headers
Olympus: “OLY”, “mp3”, “702” (model number) at specific offsets
These signatures are like a device fingerprint
Editing software overwrites these signatures with its own tags

The Olympus Example

IMAGE: Side-by-side hex editor view — left shows an authentic Olympus 702 recording with “OLY”, “mp3”, and “702” hex strings highlighted; right shows the same file after editing in Adobe Audition with those strings replaced by an XMP metadata block
This is one of the clearest demonstrations of metadata analysis in forensic authentication
The authentic file contains the Olympus proprietary signatures at specific byte offsets
After opening and saving in Adobe Audition, those strings are completely gone
Replaced by a large block of XML-based XMP metadata identifying Adobe Audition as the last software to touch the file
Even if no audio content was changed, the metadata tells the full story of modification
Source: SWGDE. “Best Practices for Digital Audio Authentication.” Version 1.3, September 2018.

Encoding Parameters as Evidence

Sampling rate (44.1 kHz, 48 kHz, 8 kHz)
Bit depth (16-bit, 24-bit)
Codec (PCM, AAC, MP3, DSS)
Channels (mono, stereo)
Mismatches between claimed origin and encoding = evidence of re-encoding

Device Fingerprints: Smartphones vs. Recorders

Smartphones: GPS coordinates, AAC codec, mobile-specific metadata fields
Dedicated recorders: proprietary codecs (DSS), manufacturer hex strings, serial numbers
Computer recordings: lack physical environment markers, show desktop software signatures
Double compression artifacts appear when re-encoding a lossy format

ExifTool in Forensic Practice

Standard tool for extracting metadata from audio/video files
Key fields: Create Date, Modify Date, Make, GPS, Compressor Name
Can extract EXIF, IPTC, XMP, and format-specific metadata
Also used to test vulnerabilities — can metadata be injected or modified?

Timestamps and MACB

Modification: last time file content changed
Access: last time file was opened
Creation: when the file was first created on this volume
Entry modification (B): when the MFT record was updated
Stored in the NTFS Master File Table ($MFT)

Detecting Timestomping

Timestomping: manually changing a file’s creation or modification date
Attackers alter $MFT timestamps to match a false narrative
System journals ($LogFile, $UsnJrnl) record file operations independently
Comparing MFT timestamps against journal entries reveals the forgery

Software Fingerprints

Editing software overwrites manufacturer metadata with its own tags
Adobe Audition inserts XMP metadata identifying the software version
Audacity, Pro Tools, and other DAWs leave similar traces
The absence of expected manufacturer metadata is itself a red flag

Chain of Custody and Metadata

Metadata documents the file’s complete lifecycle
Hash at acquisition → hash at every handoff → hash at analysis
Any break in the chain or hash mismatch = compromised evidence
Embedded checksums in proprietary formats provide additional verification

Part 3: Putting It Together

ENF + Metadata: Complementary Evidence

ENF: links the file to the physical world (time, place, grid)
Metadata: verifies the digital lifecycle (device, software, timestamps)
When they agree → strong evidence of authenticity
When they disagree → strong evidence of tampering

Resolving Ambiguity

Short recordings: ENF alone may have multiple matches → metadata narrows the timeframe
Forged metadata: timestamps easily changed → ENF provides independent physical check
Clock skew: device clock drifted → use ENF as a time anchor to calculate the offset
Missing ENF: outdoor/battery recording → metadata may be the only evidence available

The DEMA System

Decentralized ENF-based Media Authentication for social media
Aggregates ENF data from edge nodes and cloud servers
Uses blockchain (Proof-of-ENF consensus) to prevent database poisoning
Cross-references EXIF GPS/timestamps against ENF databases

Case Integration Example

Recording claims to be from March 5, 2:15 PM, New York office
Metadata check: iPhone AAC, creation date March 5, GPS coordinates match office
ENF check: trace matches US Eastern grid reference at March 5, 2:12 PM
Clock skew: 3-minute offset consistent with typical iPhone clock drift
Conclusion: evidence supports authenticity

Summary

ENF analysis extracts power grid frequency to verify time, location, and integrity
Metadata consistency audits file headers, encoding, and timestamps for modification
Neither method is sufficient alone — use both as complementary pillars
The field faces an arms race between forensic tools and anti-forensic techniques