June 20, 2015
The Relevance of Metadata
There are numerous pieces of evidence that hold value in a
digital forensic investigation. Like all
investigations, we try to answer the basic questions: Who, what, where, when,
how and, if applicable, why. In the
world of digital forensics, there is perhaps no single category of data that
helps answer these questions more than metadata. Metadata has gotten a lot of [bad] press
lately because of the “revelation” that the U.S. government is collecting
cellular usage metadata in their ongoing fight against domestic and
international terrorism. But what is
metadata?
Simply put, metadata is data about data. Now, you’re probably reading that and saying “oh,
ok… What?!” So I’ll try to break it down
a bit. One of the most basic and
understandable examples is the Microsoft Word document I’m using to write this
blog article. The data is what is
contained in the document. The actual
text, pictures, etc. The metadata is all
of the background information -- Who created the document, when it was created or
modified or accessed, who the owner of the document is and so forth. All of this identifying information comes
from various sources. Some of it is
created when you first install Windows or other operating system. When you install the operating system, you
generally create a user account and subsequently install utilities on that
computer using that account. This is
where some metadata starts. Then, when
you install the utility (like MS Word), it prompts you to enter author/owner
information, which is then attributed to every document that is created on that
user account through MS Word. Are you
starting to see how this information could be useful in a multitude of
investigations?
Take it a step further...
You know that smart phone you carry around in your pocket
and take selfies with? There’s all sorts
of metadata about those pictures, too. It’s called EXIF data and it contains a
virtual treasure trove of information that we use in our investigations to help
prove or disprove a claim in a particular case.
This wealth of information includes the date & time the picture was
taken, the device on which the picture was taken, the latitude and longitude
(location) where the picture was taken and the operating system of the
device. For stand-alone digital cameras,
this EXIF data can also include the shutter speed, aperture settings and other
associated photographic data. It really
is quite valuable for investigators.
So what does metadata look like to the digital forensic
examiner? Various forensic tools we use
parse this data, but you can look at it too.
For instance, this picture was taken recently during a presentation for
the Private Investigator’s Association of Virginia (PIAVA) in Mclean, VA:
By using a free tool called Irfanview, I’m able to extract
and view the native EXIF data:
Filename - _DSC1749 Lo Rez.jpg
|
Orientation - Top left
|
ImageWidth - 4928
|
ISOSpeedRatings - 640
|
ImageLength - 3280
|
ExifVersion - 0221
|
BitsPerSample - 8 8 8
|
DateTimeOriginal - 2015:06:18 20:13:47
|
PhotometricInterpretation - 2
|
DateTimeDigitized - 2015:06:18 20:13:47
|
Make - NIKON CORPORATION
|
ShutterSpeedValue - 1/60 seconds
|
Model - NIKON D4S
|
ApertureValue - F 6.30
|
Orientation - Top left
|
ExposureBiasValue - -0.33
|
SamplesPerPixel - 3
|
MaxApertureValue - F 2.83
|
XResolution - 150.00
|
ExifImageWidth - 1050
|
YResolution - 150.00
|
ExifImageHeight - 826
|
ResolutionUnit - Inch
|
FocalPlaneXResolution - 1368.89
|
Software - Adobe Photoshop CC 2014 (Windows)
|
FocalPlaneYResolution - 1368.89
|
Copyright - Ron XXXX
|
FocalPlaneResolutionUnit - Centimeter
|
ExifOffset - 332
|
SensingMethod - One-chip color area sensor
|
ExposureTime - 1/60 seconds
|
FileSource - DSC - Digital still camera
|
Orientation - Top left
|
SceneType - A directly photographed image
|
SamplesPerPixel - 3
|
CustomRendered - Normal process
|
ResolutionUnit - Inch
|
ExposureMode - Auto
|
Software - Adobe Photoshop CC 2014 (Windows)
|
ISOSpeedRatings - 640
|
DateTime - 2015:06:19 09:16:26
|
ExifVersion - 0221
|
Artist - Ron XXXX
|
ExifOffset - 332
|
As you can
see, this EXIF data provides much more information about the picture that the
user hardly ever sees. This particular
camera does not have GPS enabled, but your smart phone does, providing even
more detailed information about the location the picture was taken. The evidence contained in the photograph
itself is only the beginning.
This data
isn’t restricted to documents and photographs.
In fact, metadata at a basic level is an extremely important string of
information in digital forensic examinations.
Data like this can not only accompany documents, images, etc., but also be
stored in the file table of the operating system or piece of external media
(i.e., thumb drives, SD cards, etc.) that you’re using to store other documents,
pictures, etc. upon. File tables are
created when you format a particular piece of media to keep track of the files
and allow operating systems ease of access to the files. External media like thumb drives and SD cards
store only basic metadata in the file tables, while your Windows or Mac
operating systems store much more. Even
more valuable can sometimes be the natively created copies, backups and shadows
of your operating system that can store historical data about when files may
have been altered, previously existed upon or removed from the system.
Digital
forensic examiners pull the threads and unravel the tapestry of the
evidence. We look for the information
that shows us what was going on and, hopefully, who was responsible. With data storage devices at everyone’s
fingertips in the digital age, this information and evidence is invaluable in
helping to prove or disprove a claim. As
I tell groups of attorneys, investigators and information security officers all
the time, the data doesn’t lie. It helps
paint a clearer picture of what happened, which is ultimately what everyone is
after: The truth.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
Twitter: @ProDigital4n6
