Lecture 4 Metadata in Digital Forensics Notes

Metadata in Digital Forensics

What is Metadata?

  • Data about data.

  • Based on the Greek word “μετά” which means “after”.

Metadata in Operating Systems

  • File systems consist of files, directories, and metadata.

  • Metadata includes:

    • Timestamp (date and time)

    • File name

    • File size

    • File location

  • Metadata can also be Information to locate and assemble files (pointers to data blocks & entire blocks used internally to retrieve data).

  • Metadata Definition: All the data in the file system that describes the layout and attributes of the regular files and directories (Buchholz and Spafford 2004).

Origin of Metadata in File Systems

  • Mainframe operating systems recorded more metadata.

  • Multics (ancestor of Unix) recorded:

    • Access timestamp: to determine how frequently information was used.

    • Modification & Creation timestamp: to manage when to backup information.

    • Motivated today’s MAC time.

Unix Metadata

  • Unix file system (from 1970s) records:

    • File location

    • File size

    • File type (file or directory)

  • Modified-Accessed-Changed timestamps

  • Linux Ext2-Ext4: deletion timestamp is also recorded.

    • Access control information (owner, group, world; read, write, execute).

      What is the difference between modified and changed timestamps?

  • Modified Timestamp: Last time the content of a file was modified.

  • Changed Timestamp: Last time the metadata of a file was modified.

  • A simple change in permissions updates the changed timestamp.

  • Usually changed time stamp will correspond to created timestamp – but there is no guarantee of that from a forensic perspective

DOS/FAT Metadata

  • DOS & FAT file system record:

    • File name (DOS: 8.3 scheme, FAT: 8.3 + long file name).

    • File size

    • File location

    • Modified/Written-Accessed-Created timestamps.

    • No user or permission information is stored.

    What happens with the modified and created timestamp if a file is copied?

  • In FAT, an updated creation timestamp is recorded for the new file

  • The modified timestamp is carried over to the new file

    What happens with the created timestamp if a file is moved or renamed?

  • The creation timestamp of the original file is carried over to the new file

  • Exception: in Windows 2000 and XP, if a file is moved to a different volume via command line, a new creation timestamp is written to the new file

    What happens with the modified timestamp if a file is opened in MS Office (the auto‐save is on) and content is not changed?

  • The modified timestamp is updated when the application does the automatic save

NTFS Metadata

  • NTFS file system records:

    • File name

    • File size

    • File location

    • Modified-Accessed-Created timestamps

    • Access control information (Ownership: SID & Permissions)

Benefits of File System Metadata

  • The information is automatically collected and stored by the system

  • The information is directly Stored directly with the object of

    interest.

  • Tampering with metadata is not as simple as tampering with a file content

Reconstruction & Metadata

  • Who did it?
    Ownership from file systems isn't always relevant for forensics.

  • Need to know who created, modified, accessed, and deleted a file.

  • When did it happen?

    Timestamp semantics are not standardized.

  • Different file systems collect different metadata with different behaviors.

  • Time resolutions vary.

  • TESTING BEHAVIOUR IS A GOOD WAY TO UNDERSTAND DIFFERENCES

  • Time Resolution in FAT (File Allocation Table) vs. NTFS (New Technology File System)

  • On FAT file system:

    • Creation time: has a resolution of 10 milliseconds.

    • Last modified time: has a resolution of 2 seconds.

    • Access time: has a resolution of 1 day.

  • On NTFS file system:

    • Creation time & last modified time: has a resolution of 100 nanoseconds.

    • Access time: has a resolution of 100 nanoseconds (BUT updates may be held in memory for up to an hour before being flushed to the disk).

Application Metadata

  • Further information that describes a file and is Embedded in a specific file.

  • Includes tracked changes, author, version, email headers (to & from).

Media File Metadata: EXIF

  • EXIF (EXchangeable Image File format) is a standard for images and audio files which records:

    • Technical details of the device used.

    • Context information.

  • Promotes interoperability among devices: EXIF has been specified to promote interoperability among devices of different types (CIPA 2019) and editing/storage applications

    • –  Record/capturing devices: e.g., digital still cameras, digital video cameras, and cameras built‐in in smartphones

    • –  Display/playback devices: e.g., digital TV, car navigation systems

    • –  Image printing devices: e.g., printers and scanners

  • Applicable file types: Digital cameras and video recorders, stand alone or built in smartphones, collect a variety of EXIF metadata for the following types of file: including .PHOTOS (JPG, .JPEG, .TIF, .TIFF,) AUDIO/VIDEO (WAV, .MOV.)

Relevance to Forensics

  • Not only EXIF metadata can Help establish:

    • Where a photo was taken.

    • When the photo was taken.

    • Which device was used.

  • EXIF metadata is good for forensics but

    It raises privacy/security issues for individuals as well

    Hence, social media scraps metadata from photos uploaded online

Conclusion

  • Lack of standardization in metadata behavior across file systems.

  • Reverse engineering metadata behavior is an active research area.

  • EXIF metadata is valuable for forensic investigations when available