Metadata is data that describes other types of data. For example, the .docx file extension tells a computer’s operating system that the file is a Word document and should be opened within the Microsoft Office program. Although each individual file contains many hundreds and even thousands of points of metadata, certain fields are more useful to the investigator than others. The three most important metadata fields to be aware of are:
1. File creation date: this is typically interpreted as the date when the file was originally created by the user. Be warned! The date can be tampered with and inadvertently altered by both the user and the actions of services on the computer system such as antivirus programs. As such, the file creation date should only be used as intelligence to advance an investigation as opposed to being hard evidence35. Having said that, this piece of metadata can be very useful in constructing a timeline of events by mapping file content within the creation date within the metadata.
2. File author: typically, the username used to log in to the operating system of the computer that initially created the file is recorded within the meta of that file. This can prove insightful if the username reflects the name of the person whose login created the file.
3. Latitude and longitude where the file was created (for image files only): most modern camera devices, including phones and tablets, will typically have some kind of GPS system built in. The latitude and longitude where a photograph was taken is stamped into the metadata of the image. Clearly this can be of huge benefit to an investigation and has proven so in extreme cases involving kidnap and ransom. One point to note is that not all images have this metadata within them, particularly if the image has been uploaded to a social media platform, which usually deliberately strips metadata from uploaded files.
Although the preceding metadata only gives three points of information on a file, if the investigator has the ability to get creative with this data then there are a number of ways that these data points can be effectively used. For example, file creation dates can be used to challenge witness testimony within an interview context, and location information attached to images can tangibly link events to locations.
Extracting metadata from a digital artifact is surprisingly easy, with the creation date and author information being available by right-clicking on a file icon and then clicking on the Properties option. The latitude and longitude within the images is slightly more difficult to extract and requires specialist software to do so. Luckily this software is freely available online from resources such as http://regex.info/exif.cgi.
FOCA search tools
FOCA is an exceptionally powerful desktop search tool that leverages the advanced search syntax of Google, Yahoo and Bing to ‘scrape’ a target website for a huge range of file types. The program works by enumerating a website and searching for file paths to documents. Once it has identified these docs the user is free to download these files to their own machine. The power of FOCA lies in a number of areas: firstly, it rapidly automates the reparative task of entering complex search syntax for each file type into the three search engines FOCA utilises. Secondly, it assists in the mass extraction of metadata from the reports that it recovers. Thirdly and most importantly, FOCA has the ability to recover documents from a website that have no explicit download links on the site’s pages. This almost magical ability, combined within the program’s other functions, creates a powerful tool for the investigator that can rapidly increase the scale, scope and speed of an investigation. As of writing this book, FOCA is freely available from downloadcrew.co.uk/article/22211-foca_free.
No comments:
Post a Comment