The Value of Metadata in Digital Forensics

Meta, which means "beyond," is a prefix that denotes a notion that is an abstraction of another entity. This translates to indicate that metadata is "data beyond the data." Metadata, then, is data about data or information about information. In order to make other data easier to find, understand, and use, metadata organises and characterises that data.

The details of other data may include the creator of a certain piece of data, the date it was created, the file size, and the date it was edited.  Finding a specific document is made simpler with the help of this information.

Metadata is helpful for films, photos, spreadsheets, and web pages in addition to document files. Computer forensic investigators would track a digital trail like a typical investigator does a paper trail, which is a collection of written evidence. This entails looking at digital data and its metadata—the distinctive identifiers connected to each digital file—to see whether there is any supporting information.

Usage for Metadata

• Metadata enables users to:
• Locate resources using pertinent criteria
• Determine resources
• Converge comparable resources
• Differentiate between resources; and
• Find the location of the information

Typical forms of Metadata

Metadata may be divided into the following categories:

Descriptive Metadata

Author, title, abstract, and keywords are frequently included in descriptive metadata, which provides information about a file's contents.

Structural Metadata

The link between various pieces of data and how they are put together are both areas covered by structural metadata.

Administrative Metadata

Administrative metadata includes information about ownership, rights administration, and other technical details like the application that was employed.

Preservation metadata

Metadata preservation assists in the administration and preservation of information resources. These sorts of metadata also include processes like data transfer and refreshing that are required to preserve both the digital and physical copies of resources, as well as record of the physical state of a specific piece of information. Documenting modifications that take place during preservation or digitisation is another use of preservation metadata.

Technical Metadata

Technical metadata is data that demonstrates how a system or piece of metadata acts. Technical digitization data like as formats, scaling procedures, and compression ratios are included in such metadata, as well as documentation for software and hardware. Technical metadata also includes data on security and authentication, such as encryption keys and passwords, as well as tracking of system response times.

How are Metadata Produced?

Both manual and automatic information processing can produce metadata. Because it just shows details like the file extension, size, and creation date as well as the author or creator of the file, automated metadata production is simple. In contrast, manual creation enables users to provide any pertinent details characterising a specific file.

How are Metadata used in Forensic?

Metadata essentially enables digital or computer forensic investigators to comprehend the "traces" and history of an electronic file. These digital traces must be appropriately kept because they are delicate. Consider how carefully genuine physical evidence must be handled at a crime scene to prevent contamination, missed cues, and evidence manipulation. The same care must be taken with metadata.

The following are some instances of metadata that might be useful in a criminal investigation:

• Recover file names, extensions, creation, modification, and access dates  for each file.
• History of executions, errors, records read and written, etc.
• Dates of the file's creation, modification, and access
• Access all of the data included in a document.
• See a document's hidden information
• Show evidence of your collaboration

When using digital forensic analysis as the basis for a lawsuit, the legitimacy of the evidence must be reliable, and metadata can assist establish its provenance. For example, files that have been relocated from their original contexts are seen as less reliable since there is a chance that the data may be altered if it is not present on the original device. Because of this, the majority of digital forensic professionals picture devices before evaluating the data they contain in order to preserve everything in its original setting. Additionally, having imaged copies of the original devices enables experts to evaluate the reliability and effectiveness of files generated from other sources in court by contrasting and contrasting them with those from the original devices.

Forensic Analysis of Metadata

Data may take on a variety of shapes. Databases, word documents, photos, full websites, emails, and chat sessions may all include data. The list might go on forever, but this is what necessitates the use of metadata. In addition to having access to a range of software, forensic scientists may investigate metadata using it. FTK, Paraben, or Metadata Assistant are a few Windows-compatible applications for metadata software. MacQuisition is frequently used by those who favour Macs to carry out searches and other tasks on metadata.

These software programmes provide accurate findings based on the available evidence. The forms allow a forensic scientist to observe, record, and produce reports on the data set under investigation. These programmes can examine the evidence and create the fingerprint required for comparison.

Conformity of Metadata

The information made available by metadata may be crucial to an investigator in spotting any alterations or manipulation, and it aids lawyers in drawing conclusions about the case. When evidence is not properly verified or subjected to enough scrutiny during the inquiry, the investigation may also fail. Use of inappropriate tools, systems, or application errors during the collection of evidence, failure to report exculpatory evidence, misrepresentation of evidence, inability to recognise pertinent evidence, and falsification of evidence resulting in misdirection are some of the various factors that could affect the validity of the evidence. The legal professional must thus comprehend how digital evidence is gathered, as well as the connection between the gathering process and the validation of possible evidence.

Examples of situations where metadata might be crucial include:

It can assist in offering an alibi: Say you have to provide evidence that your client was at home at 6 o'clock. She recalled looking at a few emails on her own computer and downloading their attachments. These would provide evidence that she was at home since the metadata would show that the files were saved to her machine at that time.

Recognizing fraud: Due to some of the subpar design work that was ordered, your customer is leery. When you look at the file's information, you discover that the designer didn't work on it at all; rather, a separate studio produced and worked on it, going against their agreement and charging the designer's higher charge.

Proof of foreknowledge: A customer asserts they were dismissed as a result of a colleague's deceptive email sent to their supervisor. Their employer says that the correspondence didn't influence her decision and that she just received it after your client was let go. But you can see from the metadata that she received and read the email before your customer was let go.

Finding the origin of a data leak: Tim insists that despite having access to the papers, he didn't provide trade secrets to a company's rival. You find out from the system's metadata that certain files were transmitted while Tim was logged in and that a USB drive was connected in for a short duration.

Metadata is brittle

It's quite simple to accidentally modify metadata. You'll alter the "last accessed" metadata date, for instance, if you:

• Launch a file
• Add a file to a different computer
• Put a file on a CD or DVD.
• Send an email

In reality, by just starting a computer with evidence on it, you may change hundreds of files. If you're attempting to establish when a privileged document was last accessed, this might be an issue.

 References

[1] S. Raghavan and S. V. Raghavan, 2014. “AssocGEN:Engine for analyzing metadata based associations in digital evidence,” Int. Work. Syst. Approaches Digit. Forensics Eng., SADFE,

[2] J.Riley, 2017 Understanding Metadata: What Is Metadata, and What is it for?.

[3] A. Spore, 2016.“Report Information from ProQuest,” no. June,

[4] Subli, Sugiantoro & Prayudi, 2017. “ Forensic Metadata to support the investigation process of the "scientific journal DASI

[5] S. Raghavan and S. V Raghavan, 2013. “A study of forensic & analysis tools,” 2013 8th Int. Work. Syst. Approaches to Digit. Forensics Eng., pp. 1–5,

[6] F. Alanazi and A. Jones, “The Value of Metadata in Digital Forensics,” Proc. - 2015 Eur. Intell. Secur. Informatics Conf. EISIC 2015, vol. 8, no. 2011, p. 182,

[7] P. R. Kumar, C. Srikanth, and K. L. Sailaja, 2016. “Location Identification of the Individual based on Image Metadata,” Procedia Comput. Sci., vol. 85, no. Cms, pp. 451–454, 2016.

[8] L. Drive, M. Hall, C. Hill, K. Woods, A. Chassanoff, and C. a Lee, 2013. “Managing and Transforming Digital Forensics Metadata for Digital Collections,” 10th Int. Conf. Preserv. Digit. Objects, no. November, pp. 203–208,

[9] R. Sharma and S. Koshy, 2011. “Promoting Open Source Technology in Education : NetBeans : The Perfect Open Source IDE,” vol. 4333, pp. 571–575,

[10] Y. Prayudi, 2014 “Problema Dan Solusi Digital Chain Of Custody Dalam Proses Investigasi,”April,

[11] U. Salama, V. Varadharajan, M. Hitchens, and DUMMY, 2012. “Metadata Based Forensic Analysis of Digital Information in the Web,” Annu. Symp. Inf. Assur. Secur. Knowl. Manag., pp. 9–15,