Metadata Investigation in this Metadata is the information related to the data stored on the system or a device. It contains details such as type of file, time of creation and modification, location, etc. Investigators can extract metadata to find the internal details of any file or application.
Understanding Metadata
Metadata is structured data, which gives information about certain characteristics of electronic data, including the time and the person that created, accessed, and modified the data. It cannot be seen without using special applications, and users can inadvertently share confidential information when sending or providing files in electronic forms.
Examples of metadata include:
- Organization name
- Author name
- Computer name
- Network name
- Hidden text or cells
- Document versions
- Template information
- Personalized views
- Non-visible portions of embedded OLE objects
Related Product : Computer Hacking Forensic Investigator | CHFI
It is important to collect the data, as it provides information about;
- Hidden data about the document
- Who tried to hide, delete, or obscure the data
- Correlated documents from different sources
Metadata in Different File Systems
The most commonly known metadata about files on Windows systems are the file MAC times. MAC stands for modified, accessed, and created. The MAC times are timestamps that refer to the time at which the file was last modified in some way (data was either added to the file or removed from it), the time when it was last accessed (when the file was last opened), and when the file was originally created.
On the FAT file system, these timings are recorded based on the local time of the computer system, whereas the NTFS file system stores MAC times in Coordinated Universal Time (UTC) format, which is analogous to Greenwich Mean Time (GMT).
Metadata in Different File Systems (Cont’d)
Another aspect of file and directory MAC times that interest an investigator are – the way the time tamp are displayed, based on various move and copy actions.
FAT 16 file system:
- Copy myfile.txt from C:\ to C:\subdir — Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.
- Move myfile.txt from C:\ to C:\ subdir – Myfile.txt keeps the same modification and
creation dates. - Copy myfile.txt from a FAT16 partition to an NTFS partition — Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.
- Move myfile.txt from a FAT16 partition to an NTFS partition — Myfile.txt keeps the same modification and creation dates.
NTFS file system:
- Copy myfile.txt from C:\ to C:\subdir — Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.
- Move myfile.txt from C:\ to C:\ subdir — Myfile.txt keeps the same modification and creation dates.
Metadata in PDF Files
Portable Document Format (PDF) files can contain metadata such as the name of the author, the date that the file was created, and the application used to create that file. The metadata shows that the PDF file was created on Mac or it was created by converting a Word document to PDF format. The pdfmeta.pl and pdfmeta.pl scripts can be used to extract metadata from PDF files. Another way to retrieve metadata is to open the file in Adobe Reader and click File -> Properties. The Description tab of the Properties dialog box contains all the available metadata.
Metadata in Word Documents
Word documents are compound documents, based on the Object linking and Embedding (OLE) technology that defines a “file structure within a file.” Besides formatting information, Word documents can contain quite a bit of additional information that is not visible to the user, depending on the user’s view of the document.
Word documents can maintain not only past revisions but also a list of up to the last 10 authors who edited a file. This has posed an information disclosure risk to individuals and organizations. Perl scripts wmd.pl and oledmp.pl are used to list the OLE streams and trash bins embedded in a Word document.
Also Read : Understand Cache, Cookies and History Recorded in Web Browser
Metadata in MSWord 2010 can be viewed by following the below mentioned steps:
- Click on the File tab —> Info option
- Click Check for Issues —> Inspect Document
- Select the content to view and click the Inspect button
Metadata Analysis Tool: Meta shield Analyzer
Meta shield Analyzer is an online tool to analyze the metadata contained in a file. This toot revels the details like Creation and Modification date, Users found and the name of the application worked on, Number of times Edited and the paths found. A file can be analyzed by using the following procedure.
- Click Select File -> select the required file.
- Click Analyze, accept the Terms and conditions in the Pop-up.
- Click on Analyze to view the output i.e. the Metadata of the file.
Questions related to this topic
- Do PDF documents have metadata?
- How do I edit the metadata of a PDF on a Mac?
- How do I scrub metadata from a PDF?
- How do I get metadata from a file?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com