Metadata: The Smoking Gun

Written By

Sean Goldstein

Your company’s most senior product developer leaves to join a competitor. Commence panic. What did that employee take with him or her? Commence investigation. When did the employee first plan to leave? What data did the employee have access to within the company? How could the employee potentially have taken confidential information / trade secrets / intellectual property? Commence hiring of digital forensics expert.

Digital forensics experts have become part of the litigation strategy in a multitude of growing practice areas – and analyzing data is often a necessary piece of such strategy. One of the first steps in an investigation – such as the scenario discussed above – is to look at the background information available about the relevant files, in order to establish timelines (when did the employee begin creating summary documents to take to the new company?), showcase patterns of access and use (how often did the employee open the product ingredient list?), and clearly define the creation, access, movement, and use of certain files. Metadata can be a primary source for such information about a file.

But simply, metadata is data about data. Acting like a fingerprint, metadata summarizes certain basic characteristics about a piece of data that identify it – potentially to include, but not necessarily limited to, creation date, modification date, author(s), file size, last access date, file type, GPS information, total editing time, and number of revisions. The amount of information stored as metadata largely depends on where the file exists.

Metadata is an important source of evidence in a variety of cases: employment scenarios, of course, but the options are endless. Recently, metadata made news headlines in the Democratic National Committee hacking investigation. Allegedly, a forensics blogger reviewed metadata related to a portion of the stolen files from the DNC network, and found that due to the “last modified” time information available in the metadata, it appeared that it would have been impossible for the files to have been copied or downloaded through the Internet – they would have had to be copied directly from the DNC network (leading some to believe that the “hack” came from inside the DNC rather than via a hack taking place through the Internet). Whether this is true or not, metadata is a key factor for this investigation. [“Why the latest theory about the DNC not being hacked is probably wrong,” The Hill, August 14, 2017].

This type of data about data is valuable on many levels. It reveals usage patterns, highlights connections, and discloses if files were potentially downloaded or disseminated. Moving forward in a digital age, metadata tracks our behaviors in a concrete and constant fashion. As lawsuits depend on data to prove, disprove, corroborate and highlight digital activity, metadata continues to be a reliable evidentiary source – and in many instances, the smoking gun. This fragile data must be preserved early and often, so that your organization can protect itself once the possibility of litigation emerges. Commence control.