Metadata

From Forensics Wiki
Revision as of 18:49, 1 March 2006 by Simsong (Talk | contribs)

Jump to: navigation, search

Metadata is data about data. Metadata plays a number of important roles in computer forensics:

  • It can provide corroborating information about the document data itself.
  • It can reveal information that someone tried to hide, delete, or obscure.
  • It can be used to automatically correlate documents from different sources.

Since metadata is fundamentally data, it suffers all of the data quality and pedigre issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.

Kinds of Metadata

Here are some kinds of metadata that are interesting in computer forensics:

  • File system metadata (e.g. MAC times, access control lists, etc.)
  • Digital image metadata. Although information such as the image size and number of colors are techncially metadata, JPEG and file formats store additional data about the photo or the device that acquired it.

File types that support metadata and extraction tools

EXIF
The Exchangeable image file format describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and time information, camera settings, locaiton information, textual descriptions, and copyright information. For more information, see [1] and the Wikipedia entry.
JPEG image files
Support the EXIF metadata format. [2]
TIFF
The Tagged Image File Format allows one or more images to be bundled in a single file. Multiple compression formats are supported. EXIF files can be stored inside TIFFs.

External Links

Wikipedia has a nice entry on metadata.

Metadata extraction in Java