|
|
| Line 1: |
Line 1: |
| − | '''Metadata''' is data about data. Metadata plays a number of important roles in [[computer forensics]]:
| + | #REDIRECT [[Forensic Toolkit]] |
| − | * It can provide corroborating information about the document data itself.
| + | |
| − | * It can reveal information that someone tried to hide, delete, or obscure.
| + | |
| − | * It can be used to automatically correlate documents from different sources.
| + | |
| − | | + | |
| − | Since metadata is fundamentally data, it suffers all of the data quality and pedigre issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.
| + | |
| − | | + | |
| − | ==Kinds of Metadata==
| + | |
| − | Some kinds of metadata that are interesting in computer forensics:
| + | |
| − | * [[File system]] metadata (e.g. [[MAC times]], [[access control lists]], etc.)
| + | |
| − | * Digital image metadata. Although information such as the image size and number of colors are technically metadata, [[JPEG]] and other file formats store additional data about the photo or the device that acquired it.
| + | |
| − | * Document metadata, such as the creator of a document, it's last print time, etc.
| + | |
| − | | + | |
| − | ==File types that support metadata and extraction tools==
| + | |
| − | | + | |
| − | Below are some common data and metadata formats, the files in which they are found, and a collection of tools that can be used to extract information.
| + | |
| − | | + | |
| − | ; [[EXIF]] ([[JPEG]] and [[TIFF]] image files; Music Files)
| + | |
| − | : The [[Exchangeable Image File]] format describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as [[RIFF WAVE]] audio files. Information includes date and time information, camera settings, location information, textual descriptions, and copyright information.
| + | |
| − | :* [http://pel.sourceforge.net/ PEL: PHP Exif Library]
| + | |
| − | :* [http://libexif.sourceforge.net/ LibExif] (C)
| + | |
| − | :* [http://www.drewnoakes.com/code/exif/ Metadata extraction in Java]
| + | |
| − | | + | |
| − | ; [[ID3]] ([[MP3]] files)
| + | |
| − | : Implemented as a small block of data stored at the end of MP3 files. [[ID3v1]] is a 128-byte block in a specified format allowing 30 bytes for song, artist and album, 4 bytes for year, 30 bytes for comment, and 1 byte for genre. [[ID3v1.1]] adds a track number. [[ID3v2]] is a general container structure. For more information, see [http://www.id3.org/].
| + | |
| − | :* [http://id3lib.sourceforge.net/ id3lib], a widely-used open source C/C++ ID3 implementation.
| + | |
| − | :* [http://www.vdheide.de/projects.html Java library MP3]
| + | |
| − | :* [http://search.cpan.org/dist/MP3-Info/ MP3::Info] (Perl)
| + | |
| − | :* [http://search.cpan.org/dist/MPEG-ID3v2Tag/ MPEG::ID3v2Tag] (Perl)
| + | |
| − | | + | |
| − | ; [[Microsoft]] [[OLE 2]]
| + | |
| − | : Microsoft Office document files contain a huge amount of metadata. They are created as OLE 2 files. Here are some tools for processing them:
| + | |
| − | :* [http://jakarta.apache.org/poi/index.html Jakarta POI] Open Source implementation in Java.
| + | |
| − | :* [http://www.payneconsulting.com/ Payne Consulting] Metadata Analysis and cleanup.
| + | |
| − | :* [http://www.inforenz.com/software/forager.html Inforenz Forager] Inforenz Forager
| + | |
| − | | + | |
| − | ; [[TIFF]]
| + | |
| − | : The [[Tagged Image File Format]] allows one or more images to be bundled in a single file. Multiple [[compression]] formats are supported. [[EXIF]] files can be stored inside TIFFs.
| + | |
| − | :* [http://www.remotesensing.org/libtiff/ LibTIFF]
| + | |
| − | :* [http://www.awaresystems.be/imaging/tiff/faq.html TIFF FAQ]
| + | |
| − | | + | |
| − | =External links=
| + | |
| − | * [http://en.wikipedia.org/wiki/Metadata Wikipedia: Metadata]
| + | |
| − | * [http://theses.nps.navy.mil/08Jun_Migletz.pdf Automated Metadata Extraction], Maj. James Migletz, Master's Thesis, Naval Postgraduate School, June 2008
| + | |
