Saturday, June 20, 2015

Metadata

June 20, 2015

The Relevance of Metadata

There are numerous pieces of evidence that hold value in a digital forensic investigation.  Like all investigations, we try to answer the basic questions: Who, what, where, when, how and, if applicable, why.  In the world of digital forensics, there is perhaps no single category of data that helps answer these questions more than metadata.  Metadata has gotten a lot of [bad] press lately because of the “revelation” that the U.S. government is collecting cellular usage metadata in their ongoing fight against domestic and international terrorism.  But what is metadata?

Simply put, metadata is data about data.  Now, you’re probably reading that and saying “oh, ok… What?!”  So I’ll try to break it down a bit.  One of the most basic and understandable examples is the Microsoft Word document I’m using to write this blog article.  The data is what is contained in the document.  The actual text, pictures, etc.  The metadata is all of the background information -- Who created the document, when it was created or modified or accessed, who the owner of the document is and so forth.  All of this identifying information comes from various sources.  Some of it is created when you first install Windows or other operating system.  When you install the operating system, you generally create a user account and subsequently install utilities on that computer using that account.  This is where some metadata starts.  Then, when you install the utility (like MS Word), it prompts you to enter author/owner information, which is then attributed to every document that is created on that user account through MS Word.  Are you starting to see how this information could be useful in a multitude of investigations?

Take it a step further...

You know that smart phone you carry around in your pocket and take selfies with?  There’s all sorts of metadata about those pictures, too. It’s called EXIF data and it contains a virtual treasure trove of information that we use in our investigations to help prove or disprove a claim in a particular case.  This wealth of information includes the date & time the picture was taken, the device on which the picture was taken, the latitude and longitude (location) where the picture was taken and the operating system of the device.  For stand-alone digital cameras, this EXIF data can also include the shutter speed, aperture settings and other associated photographic data.  It really is quite valuable for investigators.

So what does metadata look like to the digital forensic examiner?  Various forensic tools we use parse this data, but you can look at it too.  For instance, this picture was taken recently during a presentation for the Private Investigator’s Association of Virginia (PIAVA) in Mclean, VA:


By using a free tool called Irfanview, I’m able to extract and view the native EXIF data:

Filename - _DSC1749 Lo Rez.jpg
Orientation - Top left
ImageWidth - 4928
ISOSpeedRatings - 640
ImageLength - 3280
ExifVersion - 0221
BitsPerSample - 8 8 8
DateTimeOriginal - 2015:06:18 20:13:47
PhotometricInterpretation - 2
DateTimeDigitized - 2015:06:18 20:13:47
Make - NIKON CORPORATION
ShutterSpeedValue - 1/60 seconds
Model - NIKON D4S
ApertureValue - F 6.30
Orientation - Top left
ExposureBiasValue - -0.33
SamplesPerPixel - 3
MaxApertureValue - F 2.83
XResolution - 150.00
ExifImageWidth - 1050
YResolution - 150.00
ExifImageHeight - 826
ResolutionUnit - Inch
FocalPlaneXResolution - 1368.89
Software - Adobe Photoshop CC 2014 (Windows)
FocalPlaneYResolution - 1368.89
Copyright - Ron XXXX
FocalPlaneResolutionUnit - Centimeter
ExifOffset - 332
SensingMethod - One-chip color area sensor
ExposureTime - 1/60 seconds
FileSource - DSC - Digital still camera
Orientation - Top left
SceneType - A directly photographed image
SamplesPerPixel - 3
CustomRendered - Normal process
ResolutionUnit - Inch
ExposureMode - Auto
Software - Adobe Photoshop CC 2014 (Windows)
ISOSpeedRatings - 640
DateTime - 2015:06:19 09:16:26
ExifVersion - 0221
Artist - Ron XXXX
ExifOffset - 332

As you can see, this EXIF data provides much more information about the picture that the user hardly ever sees.  This particular camera does not have GPS enabled, but your smart phone does, providing even more detailed information about the location the picture was taken.  The evidence contained in the photograph itself is only the beginning.

This data isn’t restricted to documents and photographs.  In fact, metadata at a basic level is an extremely important string of information in digital forensic examinations.  Data like this can not only accompany documents, images, etc., but also be stored in the file table of the operating system or piece of external media (i.e., thumb drives, SD cards, etc.) that you’re using to store other documents, pictures, etc. upon.  File tables are created when you format a particular piece of media to keep track of the files and allow operating systems ease of access to the files.  External media like thumb drives and SD cards store only basic metadata in the file tables, while your Windows or Mac operating systems store much more.  Even more valuable can sometimes be the natively created copies, backups and shadows of your operating system that can store historical data about when files may have been altered, previously existed upon or removed from the system. 

Digital forensic examiners pull the threads and unravel the tapestry of the evidence.  We look for the information that shows us what was going on and, hopefully, who was responsible.  With data storage devices at everyone’s fingertips in the digital age, this information and evidence is invaluable in helping to prove or disprove a claim.  As I tell groups of attorneys, investigators and information security officers all the time, the data doesn’t lie.  It helps paint a clearer picture of what happened, which is ultimately what everyone is after: The truth.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.

Twitter: @ProDigital4n6