Examining Metadata to Uncover the Truth
Written by Charles Snipes   

Smartphones and tablets have become fixtures in our lives for both work and personal use. With them comes an ever-growing digital universe—the network of people, organizations, and things connected via the internet—that is growing 40 percent a year according to research by International Data Corporation (IDC). By 2020, it’s predicted that there will be as many digital bits as there are stars in the sky.

This growth in data—and the number of devices in which we create and store our data—means more electronically stored information for forensic experts to examine in litigation. But the most critical evidence may lie under the data, so it’s important for forensic experts to pay attention to metadata.
By definition, metadata is data about data. Metadata includes information most users can see, such as file name, file type, date the document was last opened, date it was last edited, and more. It also includes fields hidden to most users, including who created or altered the document, what he or she changed, when, and on what computer or device. These details are embedded into the file when it is created or revised.
While it’s possible to change some metadata, such as the title, subject, and authors, metadata like the date created and device used to create the document cannot be altered by ordinary means.
With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point to gaps in the data. Not every case hinges on it, but many cases require that metadata be examined, if only to verify the truth of what is being asserted—or to uncover lies.
Consider the following scenario:
You have a case where Company A is suing Company B over a disputed contract. During testimony, it comes out that one of the executives for Company B secretly recorded a meeting between both companies.
At trial, counsel for Company B submits a CD containing three audio recordings. Company A needs to make sure that what’s on the CD is real and hasn’t been altered.
In reviewing the audio files, Company A’s attorney finds anomalies between the date of the meeting that the recording device was used in and the metadata properties of the files produced. Concerned about the origin of the audio files and if they had been altered in any way, Company A sends the files to a third party for forensic investigation.
Now let’s pretend you’re that third party. What would you do?
If the three audio files that Company B had produced were the original files, the time stamps should all be the same for the date created, date accessed, and date modified. If they don’t match, that’s a good indication that something is awry. Because the fields for date modified and date accessed can be changed easily—even just by looking at the audio files in Windows—it’s best to focus on the date created field as a first indication of an issue.
Say that one of the three files had a creation date that matched the date on which the recorded meeting took place, but the other two had creation dates that occurred after the meeting in question. That’s a big sign indicating that some kind of software was used to edit the files, because when someone imports a file into audio editing software and then exports it, the file will have a new creation date matching the export date.
To further confirm that the audio files were indeed manipulated in some way, you could use a forensic software suite to examine and process the data, looking at the raw binary content of the files in hexadecimal form. Look specifically at the mp3 files’ headers, which provide information like what device was used to create the files, the quality and length of the recordings, and other identifiers. Examining the headers would allow you to see if there are any tags consistent with software that’s used to edit audio files. Any such tags would reaffirm the belief that the original files were in fact altered.
Don’t stop there.
Examining the file headers will give you a better idea of exactly what device was used to create the recordings. If the information in the headers tells you the files weren’t created on a smartphone, you can start exploring more unique alternatives, like spy pens. By researching different spy pens available, you can get a good idea of the model of spy pen used to make these recordings. But you can’t be certain until you purchase the device in question. That will allow you to create your own audio files and compare them to those that Company B produced, paying close attention to how the files were named, audio codecs, bit rates, and if they had tags in their headers.
Once you verify what device was used to create the audio recordings (in this case, a spy pen), then Company A could submit a motion for Company B to produce the actual device used during the meeting. Then, you can compare the originals with the provided files to see if the lengths and metadata are the same.
Let’s assume you confirm some editing did indeed take place. The audio recordings produced by Company B may then be thrown out, protecting Company A against false accusations.
Analyzing metadata can prove extremely important in a case. And its importance will only continue to grow as the types of devices we use and amount of data we have soars. Metadata exists for data on all sorts of devices, from spy pens to surveillance footage, and even tweets. You never know what truths you’ll uncover when you crack open the raw code.

About the Author
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is a computer forensics examiner at DSi. A former detective and FBI cybercrime task force officer, he has more than 20 years of experience in investigation, forensic data collections, and forensic examination.
< Prev   Next >

Lifting Latent Fingerprints from Difficult Surfaces

ALMOST ANYONE can find, process, and lift a latent print that happens to be in a logical and obvious place like a door handle, a beer can, or a butcher knife. But sometimes, a latent print is not just sitting there in a logical and obvious place. Sometimes, you have to use your imagination to find the print and your skills to lift it.