News & Computer Forensics Blog
Author Jon Berryhill
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
Computer Forensics Investigative Expert and Certified Expert Witness for Military, State and Federal Courts
by Jon Berryhill To understand metadata, you first have to understand what the word means. The prefix “meta” means “beyond” and is used to indicate a concept that is an abstraction behind another concept. From this we get the meaning that metadata is the “data beyond the data”. In the world of digital forensics, metadata is the data and information that is part of or attached to some other more obvious piece of data. We usually think of metadata being associated with a particular file. Every file on a computer has some amount of metadata associated with it. The amount, type and usefulness of that data depends on the type of file and the type of investigation. I usually break metadata down into two broad groups: internal and external. Every file on a computer or any digital storage media has some external metadata and most user created files have varying amounts of internal metadata. On all modern computer systems the minimum metadata is the external metadata that consists of several date/time stamps that memorialize the file creation, last access and last written date/time. That information, along with the file name, is not stored with the file but rather in a table maintained by the operating system for each storage device (and stored on that device). I doesn’t matter if it’s a hard drive, thumb drive or SD card. Each storage device has a table, separate from the files, that exist for house keeping purposes. Think of it like a card catalog system in an old fashion library. The card in the little drawer has the name of a book, directions on where to find it and a small amount of other information about the book that would vary depending on the library system and the type of book. The tables maintained by the computer are similar. The table has the name of the file, various date/time stamps and directions for the computer on where to find the file. In this imaginary virtual library, the books don’t have covers that contain the sort of information you might expect to find if you just browsed the shelves and pulled out a book at random. You need to cross reference the book with the card catalog card to get the full picture. There is other stuff there too that is, usually, less interesting from an investigative standpoint. Even this most basic metadata can be misinterpreted and is often misunderstood. Top on this list is the file creation date/time. This date/time is not what you might think from the simple name. What it is, is when that particular file was first written to the storage media we see it. The other basic date/time stamps are a bit more straight forward in their meaning. Last written is the last time the file was saved for any reason, not necessarily when it last changed, but just the last time the “save” button was hit or an auto save feature was engaged. The last access date/time is simply the last time the file was touched for some reason. There is no information here about what, who, why or what software tool took the action. The two most common reasons would be that the file was either opened or copied. How all this metadata is interpreted is critical and often requires some explaining. First we have the intuitively backwards situation that can occur where we could have a file that has a last written date/time of yesterday and a file creation date/time of today. Doesn’t a file have to be created before it was last saved? This is a common scenario that happens when a file is moved from one computer to another. If you created a file on computer A yesterday and then today copy that file from computer A to computer B (assuming you make no changes to the content), the last written date/time (in most, but not all cases) will carry over to the new computer but the file creation date/time will not. By copying the file from A to B, you have created a new file on B and it will have a file creation date/time that reflects when that action took place. In most cases the act of this file copy would also cause the last accessed date/time on computer A to be updated. Further, if we examine the time stamps on the two computers we can figure out exactly when the file left (a copy of it actually) A and when it landed on B. A gap in the timing could even indicate that an intermediate storage device may exist (which mean yet another copy of the file is floating around out there somewhere). If the last access and file creation date/time on computer B match, that is a pretty good indication that nothing has been done with that file since it was first copied to computer B. Just from this metadata it is possible to put together a great deal of valuable information about what a user may have been up to with their computer usage.
10 Comments
By Jon Berryhill
If you’ve encountered a matter involving computer evidence, you may have heard the term “hash value” and wondered what in the world a hash value is. A hash tag “#” (otherwise known as the pound symbol or, originally, an octothorpe), brought to you by Twitter in 2007, is not what this post is about. A hash value and a hash tag are two completely different things. Let’s take a quick dive into this somewhat esoteric term for a critical tool. A hash value is a common feature used in forensic analysis as well as the cryptographic world. The best definition I’ve seen is that a hash is a function that can be used to map data of an arbitrary size onto data of a fixed size. The word “function” is used in its truest form from mathematics. The hash value is the result of the function. Standard hash algorithms are sets of complex but public mathematical steps. There is nothing secret about them. Some people equate a hash value to a fingerprint. It provides a way of identifying and verifying a chunk of digital data. You can have a hash value for a single file, groups of files, or even an entire hard drive. A hash value is a harmless looking string of hexadecimal values, generally 32 to 64 characters long, depending on the hash algorithm used. There is absolutely nothing in a hash value that will tell you anything about what was hashed or how big it was. The way the algorithms work, the length of the hash value is always the same no matter the quantity of the data processed. So what do they look like? When to Call a Computer Forensics Specialist?
In nearly all litigation these days, there is some evidence on a computer. Have you considered this for your case? If you haven't, you should. But don't panic. Bring in a seasoned computer forensics specialist sooner rather than later, and you can save valuable time and money; not to mention legal wrangling. Intuition is a powerful force that deserves your respect. If your gut is nagging at you, suspecting that some legal issues may be afoot, it's worth checking out. And it's literally never "too soon" to call in a qualified computer forensics expert. Doing so may speed up the legal process, and help clarify facts and issues from the get-go that may influence your case later on. In fact, the earlier an expert is brought in, the more helpful we can be. Is there a downside to calling your computer forensics expert right away? We're hard pressed to think of one, perhaps just the confirmation that you have a legal battle ahead. But that would have been the case whether or not you called us first! Even in that worst case scenario, computer forensics can smooth or even shorten the rough road you anticipate. In the best scenario, we can help clients avoid court altogether. We've discovered many a "smoking gun" in the discovery phase that put an abrupt end to the proceedings. What's the downside to not calling computer forensics experts first? Evidence may be lost that could support your case. If you've even considered litigation, your first consideration should be to preserve evidence. Don't even touch an evidence computer until you've spoken to a forensics specialist. Worried we'll come in and stop business operations in their tracks? No need. We quickly archive data to preserve a snapshot of every potential piece of evidence. Bringing us in when you first suspect a problem means you have a qualified guide in navigating even the first few crucial steps of the electronic discovery process. It's an opportunity to avoid pitfalls that would otherwise harm your case, and gain valuable insight into the facts. Sometimes we're brought in early enough that we can deliver excellent advice or recommendations without even touching a computer. Sounds strange, we know. But a thoughtful conversation leveraging decades of experience can often dispel a client's concerns. And in situations where squaring off in court seems unavoidable, we're right there with expert advice. We help clients anticipate challenges and face them down with the very best evidence available. So if you've got butterflies, chances are you're about to wade into the ESI (electronically stored evidence) jungle. Call or e-mail us first, because every step counts. Especially the first one! |