What is metadata? Metadata is “data about data.” It provides information about a particular electronic file. Digital forensics experts use metadata to understand what activities occurred on devices such as computers, servers, smartphones and other mobile devices and USB drives.
Different types of metadata are available depending on the type of file. For example, a Microsoft Word document will have different metadata fields than a photo taken with an iPhone. You can expect a Microsoft Word document to have metadata about the author of the document, when it was last saved, where it was copied from and any comments or tracked changes. By contrast, the metadata in an iPhone photo will typically include the date the photo was taken and GPS coordinates of where it was taken.
These are some common categories of metadata:
- File system metadata: File system metadata is created by the computer system. It contains information such as the file path, file extension, modified date/time, created date/time and when a file was last accessed. This type of metadata is frequently the backbone of a forensic investigation for a computer and is critical to preserve.
- Document metadata: Document metadata is generally created by the application the file was created or edited in (i.e. Microsoft Office). It may contain information such as the author, last person to edit the document, how long the document has been open or last time the document was printed, all of which can be useful in a forensic investigation.
- Email metadata: Email metadata may contain details about the email itself, as well as information about how the specific email arrived in the mailbox. Email metadata is commonly used in forensic investigations to determine when the email was sent or received, what server the email originated from and whether the email is authentic or fabricated (“spoofed”).
- EXIF metadata: EXIF metadata is created by cameras, such as digital cameras, phones and tablets. Types of EXIF metadata that may be relevant in an investigation are the make and model of camera (e.g., Apple iPhone 6S), the date and time the photo was taken, GPS coordinates of where the photo was taken, file format and file size.
In forensic investigations, it is important to retain a skilled and experienced forensic expert to ensure metadata is accurately preserved and not altered. This is most often done by generating a forensic image. However, metadata information may also be preserved through other means depending on the device or other data source at issue. Once the source is appropriately preserved, the forensic investigation can begin with confidence.
Metadata examination can quickly become a critical component to an investigation. It is not uncommon to see tech-savvy individuals attempt to alter or purge metadata prior to an investigation. When people attempt to cover their tracks by tampering with metadata, inconsistencies across various metadata points may prove metadata tampering or destruction of crucial information. An expert skilled in forensic examinations can identify metadata tampering and has the experience to testify credibly in a court of law about their observations.
QDiscovery has a team of forensic experts who are skilled in both the preservation and analysis of metadata. They are frequently engaged in matters where metadata is the crux of the investigation; from insurance claim investigations where EXIF metadata is analyzed, to IP theft investigations where metadata shows exactly what files were taken and when.
Metadata is critical to preserve and analyze in forensic investigations, and broader eDiscovery matters. It helps paint a bigger picture so case teams see the full impact of each file, including how the file was interacted with and how it fits with other activities on the computer or phone.
Gary Hunt is a Senior Digital Forensic Examiner for QDiscovery. Gary holds the Certified Computer Examiner (CCE) certification, is an active member of the International Society of Forensic Computer Examiners (ISFCE) and High Technology Crime Investigation Association (HTCIA) organizations and is one of QDiscovery’s testifying experts. Prior to joining QDiscovery, Gary managed the Midwest presence for TransPerfect Legal Solutions’ Forensic Technology and Consulting division. His diverse background in technology, forensics and eDiscovery provides a unique perspective to many challenges faced in the eDiscovery industry.