Difference between pages "Metadata" and "DIBS"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (File types that support metadata and extraction tools)
 
(Features)
 
Line 1: Line 1:
Metadata is data about data.  Metadata plays a number of important roles in computer forensics:
+
=DIBS=
* It can provide corroborating information about the document data itself.
+
* It can reveal information that someone tried to hide, delete, or obscure.
+
* It can be used to automatically correlate documents from different sources.
+
  
Since metadata is fundamentally data, it suffers all of the data quality and pedigre issues as any other form of data. Nevertheless, because metadata isn't generally visible unless you use a special tool, more skill is required to alter or otherwise manipulate it.
+
This Fort Worth based company makes forensics software and packages it with portable hardware for investigators in the field with desktop workstations for offices.
  
=Kinds of Metadata=
+
[http://www.dibsusa.com/ Website]
Here are some kinds of metadata that are interesting in computer forensics:
+
* File system metadata (e.g. MAC times, access control lists, etc.)
+
* Digital image metadata. Although information such as the image size and number of colors are techncially metadata, JPEG and file formats store additional data about the photo or the device that acquired it.
+
  
=File types that support metadata and extraction tools=
 
Below are some common data and metadata formats, the files in which they are found, and a collection of tools that can be used to extract information.
 
  
 +
=Features=
  
;EXIF  (Image files; Music Files)
+
==File Systems Understood==
: The Exchangeable Image File format describes a format for a block of data that can be embedded into JPEG and TIFF image files, as well as RIFF WAVE audio files. Information includes date and time information, camera settings, locaiton information, textual descriptions, and copyright information. For more information, see [http://www.exif.org] and the [http://en.wikipedia.org/wiki/Exchangeable_image_file_format Wikipedia entry.]
+
  
;ID3 (MP3 files)
+
(unknown)
: Implemented as a small block of data stored at the end of MP3 files.  ID3v1 is a 128-byte block in a specified format allowing 30 bytes for slong, artist and album, 4 bytes for year, 30 bytes for comment, and 1 byte for genre. ID3v1.1 adds a track number. ID3v2 is a general container structure.
+
  
;JPEG image files
+
==File Search Facilities==
:Support the EXIF metadata format. [http://www.drewnoakes.com/code/exif/]
+
  
;TIFF
+
* Lists allocated and unallocated files.
: The Tagged Image File Format allows one or more images to be bundled in a single file. Multiple compression formats are supported. EXIF files can be stored inside TIFFs.
+
* Sorts files by type.
:* [http://www.remotesensing.org/libtiff/ LibTIFF]
+
* Searches for keywords.
:* [http://www.awaresystems.be/imaging/tiff/faq.html TIFF FAQ]
+
* Registry Viewer
  
=External Links=
+
==Historical Reconstruction==
Wikipedia has a nice [http://en.wikipedia.org/wiki/Metadata entry on metadata].
+
  
[http://www.drewnoakes.com/code/exif/ Metadata extraction in Java]
+
Can it build timelines and search by creation date?
 +
 
 +
==Searching Abilities==
 +
 
 +
* Can use basic keyword searching.
 +
* Offers full-text indexing.
 +
 
 +
==Hash Databases==
 +
 
 +
* Offers the "Hash Library-KFF".
 +
 
 +
==Evidence Collection Features==
 +
 
 +
Can it sign files? Does it keep an audit log?
 +
 
 +
=History=
 +
 
 +
Originally written in (YEAR), it has now developed into a Forensic Edition and an Enterprise Edition.
 +
 
 +
==License Notes==
 +
 
 +
Is it commercial or open source? Are there other licensing options?
 +
 
 +
= External Links =
 +
 
 +
EnCase Homepage - http://www.guidancesoftware.com/lawenforcement/ef_index.asp
 +
 
 +
==External Reviews==

Revision as of 10:43, 6 March 2006

Contents

DIBS

This Fort Worth based company makes forensics software and packages it with portable hardware for investigators in the field with desktop workstations for offices.

Website


Features

File Systems Understood

(unknown)

File Search Facilities

  • Lists allocated and unallocated files.
  • Sorts files by type.
  • Searches for keywords.
  • Registry Viewer

Historical Reconstruction

Can it build timelines and search by creation date?

Searching Abilities

  • Can use basic keyword searching.
  • Offers full-text indexing.

Hash Databases

  • Offers the "Hash Library-KFF".

Evidence Collection Features

Can it sign files? Does it keep an audit log?

History

Originally written in (YEAR), it has now developed into a Forensic Edition and an Enterprise Edition.

License Notes

Is it commercial or open source? Are there other licensing options?

External Links

EnCase Homepage - http://www.guidancesoftware.com/lawenforcement/ef_index.asp

External Reviews