Computer Forensics: What is metadata?

Russell W. Gilmore, CISSP, CISM, EnCE Computer Forensics

What is metadata and why is it important in a computer forensics investigation? A brief definition or explanation of metadata is “data about data.”

What does that exactly mean?

Data is the file. Data is the Word document, the Excel document, or any other user-created document on the computer. Meta is information about that document. This can include where it’s located, the dates and times it was created, last accessed, last modified, and sometimes even when it was deleted. Other information that would be considered metadata are being copied either to the cloud or a USB device.

Metadata is very important in cases involving theft of data. Specifically when an employee copies files to a thumb drive and then takes those documents on that thumb drive with him when he leaves. Some companies aren’t accepting of that kind of activity and call us in to investigate if files got taken. If they did, when did that take place?

In some circumstances, I’ve had clients ask if they can just copy data that they think was taken onto a thumb drive and provide it for analysis. That won’t work. We have to do a forensic collection of all the data on the computer, which means forensically image the laptop or desktop computer. We then process all the data on that device and analyze it for metadata. There may be information that will show whether or not documents were taken from the computer. We may even learn when and how those documents were taken.

Metadata is not always going to be available. Sometimes the deletion of a document will corrupt that information. Sometimes you’re not going to be able to determine whether or not somebody took a file from a computer. The best way to identify whether or not that happened is to do a forensic collection of all the data on the computer – a complete forensic imaging of the device. Then analyze the data from that level.