Unraveling the Unseen: The Role of Metadata in Digital Forensic Investigations

Let’s start with the basics, what exactly is metadata? 

In an information technology context, the prefix meta refers to an underlying description. Put together with data, metadata is the descriptive text within digital data, one could also call it a digital footprint. Metadata is generally not visible when viewing or interacting with a file's content, making it effectively hidden, especially to the casual observer. Perhaps the most common way metadata is defined is that it is “data about data.” 

At Capsicum, we have observed the critical role metadata plays in digital forensic investigations. Our team employs industry-recognized forensic tools to locate and extract metadata, and our years of analytical experience enable us to provide clients with valuable contextual information about the digital data in their cases.  We have used metadata to prove (and disprove) the authenticity of a file; to confirm the veracity of a statement; to understand user activity; to build a timeline of events; to understand and connect different pieces of digital evidence; and to search, filter, and find potentially relevant data. 

First, let’s discuss specific types of metadata that is leveraged in digital forensic investigations: 

Email Metadata: An email header contains important information related to the path that the message 
“travelled” from its source to destination. The metadata in an email header includes recipient(s) and sender names, timestamps, the email client, the internet service provider, IP addresses, and Message ID.  

File System Metadata: File system metadata refers to a file’s name, size, type, creation date, and modification date, permissions, location, attributes, to name a few. It is not limited to specific file formats or applications and can be associated with any type of file, including documents, images, spreadsheets, etc. File system metadata is stored in structures specific to the file system being used. 

For example, Windows uses NTFS (New Technology File System) and its metadata is stored in Master File Table entries and Attributes; Linux uses Extended File System versions 3 and 4 for storing its metadata in Inodes and Directory Entries; and Apple’s current system, Apple File System (APFS) uses containers, volumes, and file and directory records to store metadata. As can be seen these specific structures and methods of storing file system metadata vary across different files systems and operating systems. 

Application Metadata: This type of metadata originates from the application from which the file is created. Microsoft Offices applications, such as Word, Excel, PowerPoint create embedded properties in documents to store metadata and information about the document itself. These embedded properties (document metadata) help in managing and organizing documents more effectively. 

How is document metadata different from file metadata? This embedded document metadata is distinct from file system data that is also associated with electronic files. Dates, times, and revision history stored in a file’s embedded metadata are often much less volatile and more accurately represent what and when activities occurred, as compared to file system data.

EXIF (Exchangeable Image File Format): This type of metadata is embedded within digital photos and images. It includes a variety of information about the image, such as camera settings, date and time, location data, exposure details, and the software used to create or edit the image.

How does metadata help in digital forensic investigations?

Metadata data plays a critical role in virtually every digital forensics investigation. Next, we will present three case examples to illustrate how metadata aided in our investigations.

1.    Determining File Authenticity:

The Challenge: Capsicum was tasked with determining whether a Word document was created contemporaneously with a meeting between a supervisor and her subordinate, or if it was created after the supervisor was served a complaint by the subordinate. The document in question had a Microsoft Office Open XML file format, meaning its metadata was stored in various XML files. Despite extensive metadata analysis, the core issue was determining whether the creation date and time had been altered. 

Our Solution: Capsicum was able to determine that the user did not access the XML file containing the creation and modification dates. If this file had been accessed, the metadata surrounding the XML files would have revealed such activity and cast doubt on the file's authenticity. No inconsistencies were identified within the document itself that called into question its creation and last modified dates.

2.    Determining Geolocation and Device Information:

The Challenge: Capsicum was engaged by counsel representing a woman in her divorce from her husband to forensically image her phone. She suspected her estranged husband was monitoring her iPhone and believed he had deleted text messages between them. This wealthy couple had previously agreed to send their child to a prestigious private school before the divorce proceedings began. However, the husband denied ever agreeing to such an arrangement. The wife claimed she had text messages from her husband in which he acknowledged the agreement and encouraged her to take their child to the school for the admission test. Since the couple still lived in the same house, the husband had access to the wife’s phone and allegedly deleted all communications related to the private school.

Our Solution: Capsicum imaged the phone and confirmed that the messages and their attachments (pictures taken at the school) were no longer present and were unrecoverable. It was crucial to the litigation to prove that the wife was at the school on a specific date and time. Capsicum searched the iPhone’s stored images and found one of a turtle. 

Using the metadata contained within the image file, Capsicum was able to verify the wife's claim. The metadata showed the geolocation as the school’s playground, noted the date and time the picture was taken, and confirmed it was taken with the wife’s iPhone. This unsuspecting picture was overlooked by the husband during his alleged “clean-up” and was the only evidence placing the wife at the school on the required date and time.

3.    Tracking Communication and Data Exchange:

The Challenge: Capsicum was retained after the client received an email file during discovery they contended  had never been sent to the opposing party. At first glance, the email appeared legitimate. 

Our Solution: A closer examination of the email header’s metadata revealed several discrepancies:

1.    The servers through which the email should have passed from the sender (our client) to the recipient were missing.
2.    The Message ID indicated the email could not have originated from our client's server.
3.    The timestamps in the header differed from those on the face of the email.

These metadata discrepancies, along with other facts and files, cast doubt on the veracity of the opposing party and the authenticity of the email.

We hope this blog provides valuable insights into the critical role metadata can play in enhancing your investigations, cases, or legal proceedings. At Capsicum, our forensics team continuously updates their expertise with the latest tools and techniques for forensic acquisition, extraction, and analysis, ensuring we can interpret metadata effectively as evidence. Should you require such analysis remember it is essential to preserve the original native file, as it serves as the most reliable evidence.