Loading...

Tech Talk Live Blog

Digital Forensics: The Value of File Metadata

Brian Steigauf


File metadata (data about a file) is an extremely important part of many file types in our computers and electronic devices. Metadata can be used to show the settings a camera used to capture a photograph (aperture size, shutter speed, etc.), very important information for the professional photographer.

Microsoft Office and PDF documents use metadata to show the author and creation time. Metadata can be used by the operating systems in searches or creating dynamic lists.

File metadata also can be used to tell many things about a computer or user in an investigation. Using the file metadata in a Microsoft Word document, many determinations can be made about the authenticity of that document. If a person claims that a document is their creation, but the “creator” and “last modified by” metadata shows another name . . . that would be suspicious. If a claim is made that a document required 40 hours to complete, but the “total edit time” was 2 minutes . . . that would be suspicious. Care must be made not to jump to conclusions, but during an investigation, these artifacts can be added as facts. A potential explanation for such a short edit time could be that the user copied and pasted the text from a draft version of the file. On the flip side, the text could have been plagiarized from a file downloaded from the Internet.

File metadata can also be used to make some “assumptions” about certain file types. Music MP3 and MP4 files downloaded legally contains metadata about the music including artist, album name, encoding information, length, etc. If that metadata is all set to a known illegal download site, it is easy to say the file was not obtained legitimately.

Many cameras and smartphones have GPS capabilities and will add the GPS coordinates of where a photo was taken. That metadata, along with date and time information, can be very powerful in an investigation. All that is needed to pinpoint where the photo was taken, is to enter the coordinates in Google Maps.

Metadata can be obtained by looking at a file’s properties (Right-click/Properties in Windows, File/Get info on OS X) or using a tool like Exiftool:

http://www.sno.phy.queensu.ca/~phil/exiftool/

This simple tool easily allows you to see all metadata related to almost any file type.

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *

CONTACT

Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.


techtalklive@iu13.org
1020 New Holland Avenue, Lancaster, PA 17601

(717) 606-1770