This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print page

Metadata - What is it and how is it important?

Forensic Focus - December 2009

We recently hosted a technical training series for investigators, lawyers and technical analysts to share knowledge about the importance of e-mail and e-files in investigations and forensic data examinations.

One of the main points that came out of the training was the importance of metadata to an examination. Documents or files presented as evidence without its related metadata is only presenting a small portion of the picture.

Metadata - What is it? 

Metadata is data about data, or more simply, electronic information about a file but not seen on a printed copy of the file. It is embedded and provides additional information, including when and by whom it was created, accessed, or modified.

Because it is not normally seen, and some cannot be seen without using special applications, users can inadvertently share confidential information when sending or providing files in electronic forms.

This information can also prove critical in investigations. Particularly where there are concerns about the authority of a document or who created it.

What types of files contain metadata? 

Office applications like Microsoft Office or Star Office (including Word, Excel & PowerPoint) are not the only applications that create and embed metadata. In fact, most applications do. PDF files often have embedded author, title, and other information. Digital photographs and movies often contain large amounts of information about the image or film, often including the make, model and serial number of the device they were created on. In fact just about any data object can have metadata.

The metadata about an email can show where it came from, when it was sent and/or received and when it passed through mail servers.

How is it viewed?

Some metadata can be viewed within the application that created the file, often by going to File ->Properties (Microsoft Office), or File -> Document Properties (Adobe Acrobat).

However, this does not necessarily display all metadata. There are forensic examination specialist tools like Intella (www.vound-software.com) or Encase (www.encase.com) that are used by trained analysts to view data not available to the everyday user.

Why is it important? 

Metadata plays a number of important roles in forensic data investigations:

  • provides corroborating information about the document data itself
  • reveals information that someone tried to hide, delete, or obscure
  • can be used to automatically correlate documents from different sources
  • can assist in time-lining activities where external date sources may be unavailable or unreliable

Please contact Barry Foster or Jon Pearse if you would like to discuss metadata and the impact it could have on your investigation.

The power of metadata revealed in the “Blair Document”

http://www.computerbytesman.com/privacy/blair.htm 

The British Government’s dossier on Iraq’s security and intelligence capability was ultimately used to justify the invasion of Iraq. This dossier was also cited by Colin Powell in his address to the United Nations.

This document quickly embarrassed the government when it was identified by Dr Glen Rangwala, a lecturer at Cambridge University, that much of its content was plagiarised from an article written by Ibrahim al-Marashi, a postgraduate student at the Monterey Institute of International Studies.

As well as plagiarising the document, the document was posted on the 10 Downing Street website, the Prime Minister’s official website, in Word. Reporters quickly seized on this and extracted the metadata from this Word document, including the last 10 authors:

Rev. #1: "cic22" edited file "C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecovery save of Iraq - security.asd"
Rev. #2: "cic22" edited file "C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecovery save of Iraq - security.asd"
Rev. #3: "cic22" edited file "C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecovery save of Iraq - security.asd"
Rev. #4: "JPratt" edited file "C:\TEMP\Iraq - security.doc"
Rev. #5: "JPratt" edited file "A:\Iraq - security.doc"
Rev. #6: "ablackshaw" edited file "C:\ABlackshaw\Iraq - security.doc"
Rev. #7: "ablackshaw" edited file "C:\ABlackshaw\A;Iraq - security.doc"
Rev. #8: "ablackshaw" edited file "A:\Iraq - security.doc"
Rev. #9: "MKhan" edited file "C:\TEMP\Iraq - security.doc"
Rev. #10: "MKhan" edited file "C:\WINNT\Profiles\mkhan\Desktop\Iraq.doc"

From this metadata, it was easy to spot the following user profiles or login names:
phamill
JPratt
ablackshaw
MKhan

These names are reportedly:

Paul Hamill - Foreign Office official
John Pratt - Downing Street official
Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
Murtaza Khan - Junior press officer for the Prime Minister

This metadata provided journalists with a strong lead to track down who was responsible for the plagiarised material.

Stay connected:
Get connected
Share your comments

 

More on Deloitte
Learn about our site