Digital Evidence Analysis: Metadata Analysis and Extraction

On this page, find:

What Is Metadata?

Metadata is often described as "data about data." It describes and explains an information resource that makes the resource easier to retrieve, use or manage. From a digital forensics perspective, metadata is also defined as "evidence, typically stored electronically, that describes the characteristics, origins, usage and validity of other electronic evidence."[1]

Metadata, which is hidden in computer files, has been called "the electronic equivalent of DNA"[2] because it can reveal extensive information that can be used as digital evidence. Metadata includes but is not limited to:

  • The dates a file was created and last modified and accessed.
  • The location of a file on a computer or network.
  • The name of the user account through which a document was last saved.
  • The identity and address book information of the user account from which an e-mail was sent.

Challenges Faced by Law Enforcement Related to Metadata Extraction

Although there are forensics tools that extract metadata from a variety of file formats, the quality and quantity of metadata varies depending on the file type. For example, many tools focus on extracting great amounts of metadata from Microsoft Office documents but often report little metadata from less common but potentially equally important files created using other software applications. Additionally, most metadata-extracting applications fail to provide meta-metadata (metadata about metadata) that would lead to additional analysis steps or automated correlation of the information extracted from multiple files. The lack of a comprehensive metadata analysis tool results in a significant amount of time spent by examiners on manual examination and correlation.

NIJ-Supported Tools and Training in Metadata Extraction

NIJ supports the development of tools and training to enhance the extraction of metadata. In one such project, the NIJ grantee, Assured Information Security, will develop, test and disseminate the Enhanced Metadata Analysis Tool. The tool provides the forensic examiner with the ability to:

  • Identify and extract a wide variety of specific metadata from recovered files in large data sets.
  • Summarize file relationships based on their metadata.
  • Search extracted metadata for specific terms.

This capability is expected to significantly reduce the amount of time spent analyzing and manually processing data, especially when examiners attempt to correlate metadata from hundreds or thousands of files. For example, if examiners discover thousands of JPEG images and want to test the hypothesis that all photos were taken with the same camera, they must first extract the metadata and then visually compare the extracted information. Not only is this approach impractical, the chance for error and oversight significantly increases. The Enhanced Metadata Analysis Tool will reduce examination time by allowing the examiner to query the extracted metadata for specific terms and by highlighting pertinent information such as relationships between files, additional storage devices such as digital cameras, date and time stamps, and names and contact information.

The tool is under development and expected to be disseminated to law enforcement starting at the end of 2010.

Date Created: November 5, 2010