The simple definition of Metadata is that it is data that describes other data. Metadata is information stored within a document, but not visible by just looking at a file...a sort of electronic “fingerprint” that automatically adds identifying characteristics. Types of metadata can include: Time and date of creation Program or processes used for the creation of the data Purpose of the data Creator or author of the data Location on a device where the data was created Technical standards used File size Data quality Source of the data Modifications or programs used to modify the file Metadata can be found in different places. For example, Metadata from a digital photograph could include information such as the date/timestamp of the image, the camera make and model, image resolution, the location in latitude/longitude and much more and this data would be stored within the file itself. Additional metadata could reside in the device where the image is found such as the created, modified and accessed timestamps as well as the user or users that have permissions to access or modify the file. In addition, every time you create, open or save a Microsoft Word document, hidden information is created and stored within the document that you may not want others to obtain. Hidden information can also reside in other Microsoft applications such as Excel and PowerPoint. Additional Information: Digital Evidence Case Assessment Method IRIS LLC Digital Evidence Toolbox Digital Evidence Innocence Initiative
Installed third party applications could contain communication or location data, but could also include photos, videos, or even tracking software, called spyware. Application data may record location data even when it is disabled on the device by the user. This data will not be found in service provider records. This type of data could be critical and this type of digital evidence should be considered in every investigation, emphasizing the need for a comprehensive assessment. As a practice, one of the first things forensic examiners should be directed to is to identify if third party apps are installed. Because of the huge number of third party applications, not all apps are decoded by forensic software. However, depending on the popularity of the application, access to previously unsupported apps can change overnight. Determining which apps can be accessed begins with knowing what apps are present and what version they are using. With that baseline information the forensic examiners will be able to quickly find out what data can be recovered. Additional information: IRIS LLC Digital Evidence Toolbox
Forensic investigators should routinely determine if backup files exist during their initial case assessment. A backup file is a like a snapshot of the devices memory in time. It is an excellent alternative to a lost or locked device or when other forensic procedures cannot recover the data. A backup may be found in the cloud or may be stored on a computer or mobile device. It would require the user’s credentials or a forensic acquisition of the device it was stored in. Attempts to restore a backup without the proper training could result in the contamination and permanent loss of data. A backup file is also a good alternative when faced with a locked device with an unknown pass code. However, advances in technology allow examiners to overcome more locked devices than ever before. Because of the rapid pace of technology, the forensic community lags behind. New tools are created regularly so reviewing the latest forensic capabilities periodically is recommended. Damaged devices can often be accessed after making only minor repairs, more often than not. For example, the simple and inexpensive process of replacing a broken screen may be the only thing preventing the examiner from accessing the device. Water damage can also be easily mitigated, but requires the investigator to follow a recently updated standard procedure. Depending on the device and the current state of the devices power certain actions should be taken. See the iPhone Collection Flowchart and the Android Collection Flowchart.
DIGITAL EVIDENCE: FROM COLLECTION TO THE COURTROOM – A Standardized Method for Investigators and Attorneys
Like most physical evidence, digital evidence is time-sensitive. Do you need a repeatable method and the resources to identify, collect and organize it? IRIS LLC created the first standardized Digital Evidence Case Assessment Method (DECAM) for investigating cases involving digital evidence. DECAM was created with the combined knowledge and practical experience of criminal defense investigators at IRIS LLC and a certified digital forensic experts at eLab Forensics with legal insight from Attorney William Paetzold, partner at Moriarty, Paetzold & Sherwood. Click here to read the IRIS LLC DECAM White Paper