News & Computer Forensics Blog
Author Jon Berryhill
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
 by Jon Berryhill
To understand metadata, you first have to understand what the word means. The prefix “meta” means “beyond” and is used to indicate a concept that is an abstraction behind another concept. From this we get the meaning that metadata is the “data beyond the data”. In the world of digital forensics, metadata is the data and information that is part of or attached to some other more obvious piece of data. We usually think of metadata being associated with a particular file. Every file on a computer has some amount of metadata associated with it. The amount, type and usefulness of that data depends on the type of file and the type of investigation. I usually break metadata down into two broad groups: internal and external. Every file on a computer or any digital storage media has some external metadata and most user created files have varying amounts of internal metadata. On all modern computer systems the minimum metadata is the external metadata that consists of several date/time stamps that memorialize the file creation, last access and last written date/time. That information, along with the file name, is not stored with the file but rather in a table maintained by the operating system for each storage device (and stored on that device). I doesn’t matter if it’s a hard drive, thumb drive or SD card. Each storage device has a table, separate from the files, that exist for house keeping purposes. Think of it like a card catalog system in an old fashion library. The card in the little drawer has the name of a book, directions on where to find it and a small amount of other information about the book that would vary depending on the library system and the type of book. The tables maintained by the computer are similar. The table has the name of the file, various date/time stamps and directions for the computer on where to find the file. In this imaginary virtual library, the books don’t have covers that contain the sort of information you might expect to find if you just browsed the shelves and pulled out a book at random. You need to cross reference the book with the card catalog card to get the full picture. There is other stuff there too that is, usually, less interesting from an investigative standpoint. Even this most basic metadata can be misinterpreted and is often misunderstood. Top on this list is the file creation date/time. This date/time is not what you might think from the simple name. What it is, is when that particular file was first written to the storage media we see it. The other basic date/time stamps are a bit more straight forward in their meaning. Last written is the last time the file was saved for any reason, not necessarily when it last changed, but just the last time the “save” button was hit or an auto save feature was engaged. The last access date/time is simply the last time the file was touched for some reason. There is no information here about what, who, why or what software tool took the action. The two most common reasons would be that the file was either opened or copied. How all this metadata is interpreted is critical and often requires some explaining. First we have the intuitively backwards situation that can occur where we could have a file that has a last written date/time of yesterday and a file creation date/time of today. Doesn’t a file have to be created before it was last saved? This is a common scenario that happens when a file is moved from one computer to another. If you created a file on computer A yesterday and then today copy that file from computer A to computer B (assuming you make no changes to the content), the last written date/time (in most, but not all cases) will carry over to the new computer but the file creation date/time will not. By copying the file from A to B, you have created a new file on B and it will have a file creation date/time that reflects when that action took place. In most cases the act of this file copy would also cause the last accessed date/time on computer A to be updated. Further, if we examine the time stamps on the two computers we can figure out exactly when the file left (a copy of it actually) A and when it landed on B. A gap in the timing could even indicate that an intermediate storage device may exist (which mean yet another copy of the file is floating around out there somewhere). If the last access and file creation date/time on computer B match, that is a pretty good indication that nothing has been done with that file since it was first copied to computer B. Just from this metadata it is possible to put together a great deal of valuable information about what a user may have been up to with their computer usage.
9 Comments
|