Digital Evidence Analysis: Metadata Analysis and Extraction
On this page, find:
Metadata is often described as "data about data." It describes and explains an information resource that makes the resource
easier to retrieve, use or manage. From a digital forensics perspective, metadata is also defined as "evidence, typically
stored electronically, that describes the characteristics, origins, usage and validity of other electronic evidence."
Metadata, which is hidden in computer files, has been called "the electronic equivalent of DNA" because it can reveal extensive information that can be used as digital evidence. Metadata includes but is not limited to:
- The dates a file was created and last modified and accessed.
- The location of a file on a computer or network.
- The name of the user account through which a document was last saved.
- The identity and address book information of the user account from which an e-mail was sent.
Challenges Faced by Law Enforcement Related to Metadata Extraction
Although there are forensics tools that extract metadata from a variety of file formats, the quality and quantity of metadata
varies depending on the file type. For example, many tools focus on extracting great amounts of metadata from Microsoft Office
documents but often report little metadata from less common but potentially equally important files created using other software
applications. Additionally, most metadata-extracting applications fail to provide meta-metadata (metadata about metadata)
that would lead to additional analysis steps or automated correlation of the information extracted from multiple files. The
lack of a comprehensive metadata analysis tool results in a significant amount of time spent by examiners on manual examination
NIJ supports the development of tools and training to enhance the extraction of metadata. In one such project, the NIJ grantee,
Assured Information Security, will develop, test and disseminate the Enhanced Metadata Analysis Tool. The tool provides the
forensic examiner with the ability to:
- Identify and extract a wide variety of specific metadata from recovered files in large data sets.
- Summarize file relationships based on their metadata.
- Search extracted metadata for specific terms.
This capability is expected to significantly reduce the amount of time spent analyzing and manually processing data, especially
when examiners attempt to correlate metadata from hundreds or thousands of files. For example, if examiners discover thousands
of JPEG images and want to test the hypothesis that all photos were taken with the same camera, they must first extract the
metadata and then visually compare the extracted information. Not only is this approach impractical, the chance for error
and oversight significantly increases. The Enhanced Metadata Analysis Tool will reduce examination time by allowing the examiner
to query the extracted metadata for specific terms and by highlighting pertinent information such as relationships between
files, additional storage devices such as digital cameras, date and time stamps, and names and contact information.
The tool is under development and expected to be disseminated to law enforcement starting at the end of 2010.
Date Created: November 5, 2010