|
|
| Line 1: |
Line 1: |
| − | '''Metadata''' is data about data. Metadata plays a number of important roles in [[computer forensics]]:
| |
| − | * It can provide corroborating information about the document data itself.
| |
| − | * It can reveal information that someone tried to hide, delete, or obscure.
| |
| − | * It can be used to automatically correlate documents from different sources.
| |
| | | | |
| − | Since metadata is fundamentally data, it suffers all of the data quality and pedigre issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.
| |
| | | | |
| − | ==Kinds of Metadata== | + | =Features= |
| − | Some kinds of metadata that are interesting in computer forensics:
| + | |
| − | * [[File system]] metadata (e.g. [[MAC times]], [[access control lists]], etc.)
| + | |
| − | * Digital image metadata. Although information such as the image size and number of colors are technically metadata, [[JPEG]] and other file formats store additional data about the photo or the device that acquired it.
| + | |
| − | * Document metadata, such as the creator of a document, it's last print time, etc.
| + | |
| | | | |
| − | ==File types that support metadata and extraction tools== | + | ==File Systems Understood== |
| | | | |
| − | Below are some common data and metadata formats, the files in which they are found, and a collection of tools that can be used to extract information.
| + | ==File Search Facilities== |
| | | | |
| − | ; [[EXIF]] ([[JPEG]] and [[TIFF]] image files; Music Files)
| + | ==Historical Reconstruction== |
| − | : The [[Exchangeable Image File]] format describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as [[RIFF WAVE]] audio files. Information includes date and time information, camera settings, location information, textual descriptions, and copyright information.
| + | |
| − | :* [http://pel.sourceforge.net/ PEL: PHP Exif Library]
| + | |
| − | :* [http://libexif.sourceforge.net/ LibExif] (C)
| + | |
| − | :* [http://www.drewnoakes.com/code/exif/ Metadata extraction in Java]
| + | |
| | | | |
| − | ; [[ID3]] ([[MP3]] files)
| + | Can it build timelines and search by creation date? |
| − | : Implemented as a small block of data stored at the end of MP3 files. [[ID3v1]] is a 128-byte block in a specified format allowing 30 bytes for song, artist and album, 4 bytes for year, 30 bytes for comment, and 1 byte for genre. [[ID3v1.1]] adds a track number. [[ID3v2]] is a general container structure. For more information, see [http://www.id3.org/].
| + | |
| − | :* [http://id3lib.sourceforge.net/ id3lib], a widely-used open source C/C++ ID3 implementation.
| + | |
| − | :* [http://www.vdheide.de/projects.html Java library MP3]
| + | |
| − | :* [http://search.cpan.org/dist/MP3-Info/ MP3::Info] (Perl)
| + | |
| − | :* [http://search.cpan.org/dist/MPEG-ID3v2Tag/ MPEG::ID3v2Tag] (Perl)
| + | |
| | | | |
| − | ; [[Microsoft]] [[OLE 2]]
| + | ==Searching Abilities== |
| − | : Microsoft Office document files contain a huge amount of metadata. They are created as OLE 2 files. Here are some tools for processing them:
| + | |
| − | :* [http://jakarta.apache.org/poi/index.html Jakarta POI] Open Source implementation in Java.
| + | |
| − | :* [http://www.payneconsulting.com/ Payne Consulting] Metadata Analysis and cleanup.
| + | |
| − | :* [http://www.inforenz.com/software/forager.html Inforenz Forager] Inforenz Forager
| + | |
| | | | |
| − | ; [[TIFF]]
| + | Can it search? Does it build an index? Can it focus on file types or particular kinds of metadata? |
| − | : The [[Tagged Image File Format]] allows one or more images to be bundled in a single file. Multiple [[compression]] formats are supported. [[EXIF]] files can be stored inside TIFFs.
| + | |
| − | :* [http://www.remotesensing.org/libtiff/ LibTIFF]
| + | |
| − | :* [http://www.awaresystems.be/imaging/tiff/faq.html TIFF FAQ]
| + | |
| | | | |
| − | =External links= | + | ==Hash Databases== |
| − | * [http://en.wikipedia.org/wiki/Metadata Wikipedia: Metadata]
| + | |
| | + | Can it create hashes of files and/or blocks? Can it compare these hash values to any databases? |
| | + | What sort of hash functions does it use? |
| | + | |
| | + | ==Evidence Collection Features== |
| | + | |
| | + | Can it sign files? Does it keep an audit log? |
| | + | |
| | + | =History= |
| | + | |
| | + | Originally written in (YEAR), it has now developed into a Forensic Edition and an Enterprise Edition. |
| | + | |
| | + | ==License Notes== |
| | + | |
| | + | Is it commercial or open source? Are there other licensing options? |
| | + | |
| | + | = External Links = |
| | + | |
| | + | EnCase Homepage - http://www.guidancesoftware.com/lawenforcement/ef_index.asp |
| | + | |
| | + | ==External Reviews== |
Can it search? Does it build an index? Can it focus on file types or particular kinds of metadata?
Can it create hashes of files and/or blocks? Can it compare these hash values to any databases?
What sort of hash functions does it use?
Originally written in (YEAR), it has now developed into a Forensic Edition and an Enterprise Edition.
