Professional Documents
Culture Documents
VOl.2NO.10
METADATA
ANALYSIS TOOLS
AND TECHNIQUES
DEMYSTIFYING METADATA
EXTRACTING AND USING METADATA FOR A
DIGITAL FORENSIC INVESTIGATION:
A STEP BY STEP PROCESS
TOP METADATA CONSIDERATIONS FOR
NETWORK SECURITY
METADATA IN DIGITAL FORENSICS
METADATA: WHAT IS IT AND
WHY SHOULD YOU CARE?
Issue 10/2013 (14) August
www.titania.com
T: +44 (0) 1905 888785
SME
pricing from
650
scaling to
enterprise level
4 Ensure resilience
4 Mitigate risk
TEAM
Editors:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com
Nadia Mawloud
nadia.mawloud@software.com.pl
Betatesters/Proofreaders:
Kishore P.V , Mada R Perdhana, Olivier
Caleff, Jeff Weaver, Massa Danilo, Craig
Mayer, Andrew J Levandoski, Richard
Leitz, Lee Vigue, Jan-Tilo Kirchhoff,
Owain Williams, Craig Mayer, Larry
Smith, Sundaraparipurman Narayanan,
Henrik Becker, Yousuf Zubairi
Senior Consultant/Publisher:
Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
Production Director: Andrzej Kuca
andrzej.kuca@software.com.pl
Marketing Director: Joanna Kretowicz
jaonna.kretowicz@eforensicsmag.com
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski
Publisher: Hakin9 Media Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.eforensicsmag.com
DISCLAIMER!
The techniques described in our articles
may only be used in private, local networks. The editors hold no responsibility
for misuse of the presented techniques or
consequent data loss.
Dear Readers!
Welcome to eForensic Magazine! We are proud to present our new issue
entitled Metadata Analysis Tools and Techniques. We decided to focus
on a topic that each and every one of us encounters on a daily basis and
that we believe will be of your interest and beneficial to read and learn
more about it. Metadata is crucial and is being used in various investigations, storage, processing, intelligence etc. and can be found in almost
any device.
The authors in this issue will describe the Metadata from the very basics
of what it is to more concrete examples of programs and usage. They will
show what tools are good to use in metadata and how to analyze them.
The authors who wrote these articles are professionals in this area and
who have agreed to share their expertise with us.
Our primal goal is to provide you a high quality of information and satisfaction. We are eager to hear your comments and suggestions for future
publications and what YOU would like to read more about. With high
hopes and excitement, we invite you to enter the world of Metadata!
eForensics Team
contents
08
12
16
DEMYSTIFYING METADATA
by Mark Garnett
28
There are many forensic tools to help an analyst find out what happened in a case. The most common are the most popular automated forensic tools: EnCase and FTK. Each program provides a
wealth of tools for the examiner through both built-in and external scripts. EnCase provides the analyst many tools for metadata analysis within the Case Processor script and great support for third
party scripts. FTK has great email and document file analysis tools.
In the example from Bushs life, the memo is the data and the font is the metadata. Metadata is
data about data. Anything that describes data is metadata. There are different metadata standards
for different types of data. Information is not searchable and accessible without metadata. For example, without metadata you do not know who took a photograph, when they took it, what tool
they used to capture the image, any feedback on the image, topics and subjects as well as other
pertinent information.
Metadata exists throughout data storage systems, from the creation and modification dates stored
within the file system, through to specific information embedded within the content of a file. Metadata can be hugely important to any forensic investigation, knowing how to extract this information and spot when it has been manipulated can prove very important. This article, aimed at those
new to forensics, looks at various forms of metadata and provides examples of the way in which we
can manually retrieve this information using the information that is available within our operating
systems and moving on to other tools which can be used to extract this data from many different
file types.
Metadata are those often quoted, but sometimes misunderstood, attributes of a file that can sometimes provide the sought after breakthrough in determining what happened when on a computer
system with respect to particular documents. They are of paramount importance in those investigations involving the theft of intellectual property, electronic discovery, fraud and misconduct
investigations and patent disputes.
a
32
Metadata can often contain that needle in the haystack youre looking for during a forensics investigation; in fact it has helped me out in the past quite a few times. One particular case that stands
out the most was an internal investigation I did for the company I was working for at the time. Most
of the cases I dealt with in this role related to employee misconduct, which included wrongful use,
inappropriate behavior, harassment, etc. In this situation, metadata was the key piece of evidence
in the case of a lost smart phone.
38
44
48
54
58
With recent events in the news there is an increased interest into metadata and how it may be
used. What is metadata and what can it tell us? Forensics examiners have known for some time
now about metadata and have probably used it to assist in investigations. Meta data can be used
for a great many tasks from file attribution and intelligence gathering, to revealing manipulation
of time and date stamps. The manner in which metadata can be used is really a matter of the approach and creativity of the examiner. To get a better hold on what metadata is, a definition is
needed. Bert Moss on Metadata
In June 2013 the term metadata which is most generally defined as data about data, went mainstream following the Guardians NSA Prism program article. For many years the security industry
has been working with metadata and developing best practices around handling metadata and
even choosing the right technology for specific use cases. This article will focus on key areas of consideration when looking to leverage metadata to improve network security.
Until Edward Snowden unleashed his allegations about the US and UK collecting phone information on millions of their citizens, the word metadata was the providence of attorneys and computer
forensic/eDiscovery nerds, such as these authors. And while the world may be aware of the term,
few truly understand the breadth and pervasiveness of computer metadata.
In this article we will discuss what computer metadata is, explain its importance in investigations
and litigation, and provide a variety of examples.
Metadata is organized information that pronounces, clarifies, discovers, or else brands it laid-back
to recover, custom, or achieve an information resource. Metadata is frequently termed data about
data or information about information. An imperative motive for forming evocative metadata is to
expedite discovery of germane information. In adding to resource discovery, metadata can assist
consolidate electronic resources, enable interoperability and bequest resource amalgamation, deliver digital identification, support archiving and conservation. Metadata scrutiny is one of countless diverse types of analysis. The interpretation of consequences from whichever solitary examination process might be indecisive. It is imperative to authenticate verdicts with supplementary
analysis modus operandi and algorithms.
by Bert Moss
In this article I will write about what is Metadata, some metadata analysis / extraction tools and the
various techniques that can be utilized in extracting and analyzing metadata mainly from a Digital
Forensics standpoint. As you may already know, data is usually described as a collection of facts,
such as values or measurements. It can be numbers, words, measurements, observations or even
just descriptions of things.
NEARLY EVERYTHING
IN YOUR CASE IS
METADATA
by Trent Struttmann
When I was asked to write this article, I didnt have any idea
where to start. I wanted a more specific topic. I could write
volumes on the metadata I could find in a case, I wanted a more
specific topic as metadata is, as said in the PFC Manning Trial,
is just data about data. I would agree, it is really any two pieces
of data that you can link together. It can tell you more about
what occurred on a computer better than the data itself can.
But to me the most interesting part of metadata, and maybe
one of the best ways to explain why you care about metadata,
is its potential for application in building a body of evidence for
a court case. Metadata can give you context for an event on a
computer.
if analyzed with the correct tools. Combining certain metadata with the link file you can draw a solid
conclusion that the user of the computer knew that
a certain file existed.
Your Case: Lets say we are analyzing the computer of a user that was an accountant at a local
hardware store. Lets call the user Vector. You
have been contacted by the hardware stores attorney after the employee was downsized. You
find out through the attorney that the owner suspects accounting discrepancies were to blame for
the recent financial losses. He also thinks that the
Vector was keeping two sets of books. Vector also seemed to be working late even on days when
there werent many sales. After following procedures for taking a forensic image of the computer,
you begin your analysis.
Forensically interesting metadata in this case
are located in the following places: Link files found
in the recent documents folder, Link files found in
the registry, Link files found in the Internet History,
Windows registry USBStor, metadata from video
files and pictures found on the local computer. The
useful metadata gathered using an automated tool
is NTFS (New Technology File System) MFT (Master File Table) data. This information tells you when
files are last accessed, created, modified, and the
last time the MFT entry changed. Using a program
lnkanalyser you can parse relevant link files, to
reveal file-access times, the metadata for the file
the link points to. Not only can a complete link tell
you when a user clicked and opened a file, it also can tell you when the original file was created,
modified, and accessed.
In this case Vector, our accountant, had two
folders in his My Documents folder: one that contained the yearly accounting log and one that contained the weekly reports for the owner. Your tool
of choice gathers metadata that tells you the file
times, allowing you to see that the yearly log was
created the first week of January and the weekly
logs were created each week. They were both last
modified the Friday before Vector was let go.
By looking at the recent links in the users profile
folder you find the next set of important metadata
in this case. The most recently opened files on the
computer, called the link files, can tell you who accessed which files and when.
Most automated forensics tools provide methods to easily tag or recover deleted link files. Dig
deeper into the present and recovered links and
it is possible to tell that this user accessed other
files that used to reside in the weekly and yearly
accounting data folders. For nearly every week
Vector was the accountant there are two sets of
links: one with the original file name still living in
the weekly folder and a second to a now-deleted file that once resided in the weekly folder. We
can even tell that the filename had a Copy of
www.eForensicsMag.com
On the Web
http://www.woanware.co.uk
http://sourceforge.net/projects/jexifviewer/
http://www.manzanitasystems.com/products/mpegid.html
http://www.forensicfocus.com/Forums/viewtopic/
t=8635/
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_
port_numbers
Trent Struttmann, is a Digital Forensic Examiner with Cyber Agents Inc. (www.cyberagentsinc.com). He has worked doing
digital forensics, data recovery and cell
phone data analysis on more than 100
cases and has testified more than 5 times
in DoD, civilian federal, civilian criminal
and state criminal courts. He has spoken
at conferences at the Naval Justice School in Rhode Island
and at the Public Defenders conference in Kentucky.
www.eForensicsMag.com
11
A PRIMER ON
METADATA
ANALYSIS
by Jeffrey Lewis
12
INTRODUCTION
Metadata serves the purpose of describing data. When describing data, especially if it is multiple people working with the data, it is important
to have standards. To make sure everyone is on
the same page with how they analyze metadata
it is important to use a thesaurus, semantic network or some other similar tool. Using standards
can be a means to ensure data quality as it will
make sure the most accurate descriptors are in
your metadata and no one uses the term Miscellaneous. While developing a file plan on a fed13
REFERRENCES
[1] You can read the full story in George W. Bushs memoir Decision Points on P. 17-18
[2] You can learn more about Illustrata at http://www.proquest.com/go/deepindexing
[3] Illustrata was so ground breaking that Information Today referred to it as one of the most important products
of the year... and was ranked one of the top ten developments in 2007. The iPhone was number one. You can
read more at https://www.proquest.com/assets/newsletters/products/CSA_Illustrata/0408_Illustrata_Informer.html
[4] For more information on predictive coding please see the White Paper Using Predictive Coding To Your E-Discovery Advantage http://searchdatabackup.bitpipe.com/fulfillment/1369159804_67
[5] Bertolucci, John, Are You A Data Hoarder http://www.informationweek.com/big-data/news/big-data-analytics/are-you-a-data-hoarder/240149328 published February 25, 2013, http://www.proquest.com/go/deepindexing,
https://www.proquest.com/assets/newsletters/products/CSA_Illustrata/0408_Illustrata_Informer.html, http://searchdatabackup.bitpipe.com/fulfillment/1369159804_67, http://www.informationweek.com/big-data/news/big-data-analytics/are-you-a-data-hoarder/240149328
eral government contract one of the rules we decided early on is that Miscellaneous would not
be used to describe a records series. Having a
category called, Miscellaneous is like having a
junk drawer where nothing is organized and it is
hard to find specific items. In your metadata analysis if you come across something that you want
to label as Miscellaneous then think hard about
what it is and if the terms you are using to categorize and classify information are too granular and
not broad enough.
Jeff Lewis CIP MLS is a Certified Information Professional (CIP) from the Association of Information and Imaging Management (AIIM) www.aiim.org. He holds a
graduate degree in Library Science with a
Specialization in Special Collections from
Indiana University. Currently he is employed as a federal government contractor for Zimmerman Associates Inc. http://
zai-inc.com/ You can follow his research
and writing on his blog Information Is Currency http://infocurrency.wordpress.com/ and is an Expert
blogger for AIIM on electronic records management. If you are
on Twitter you can connect with him at twitter.com/Info_Currency.
UNDERSTANDING FILE
METADATA HOW TO
VIEW & INTERPRET
DATA ABOUT DATA
by Chris Sampson
16
UNDERSTANDING FILE METADATA HOW TO VIEW & INTERPRET DATA ABOUT DATA
stand that accidental or even potentially malicious manipulation or misinterpretation of any
and all data is possible. The emphasis is on the
fact that if we can read this data directly and we
can understand how it is recorded, that we can
then very easily manipulate or change the data
often in ways which are very close to being, if not
entirely undetectable.
We believe that any investigator should understand at a very fundamental level the workings and
viability of any data gathered that may later need
to be presented as fact. In order to do this properly
you must personally validate and be convinced of
the fact that the
WHAT IS METADATA?
curate picture of a file from its metadata is in understanding the system that created or used the
data file, its quirks, peculiarities and indexing abilities. If you have a good grasp of this then you are
off to an excellent start.
Good knowledge of the file type that you are investigating will help you to get the most complete
picture of the metadata that it can store and where
this data can be found. If you are investigating a
new file type for the first time it may be wise to conduct a little research, information that may prove
helpful could include:
Documentation from the publisher of the software used to create the file type, the availability of this kind of information varies from publisher to publisher.
If possible you should install and use the software, create files of the type that you are investigating then examine these to create familiarity with the file container.
Find third party documentation regarding a file
type, the open source community particularly
those who create tools to access or modify the
data type that you need to investigate can be a
great source of detailed information.
Familiarize yourself with manually editing or manipulating metadata within the data container.
The more information that you are armed with prior
to carrying out an examination, the better placed
you will be to accurately and efficiently extract the
information that you need.
File Name
File Path
File Size
Creation Date
Modification Date
Whilst the above are pretty standard, the type of information available can vary significantly depending upon the specific operating system involved
and the type and version of file system that is being used to store data for that OS.
Often additional information exists defining certain attributes that have been assigned to a file or
folder by the OS or the user. This information can
17
File Type
.jpeg image
files (EXIF)
MP3 files
PDF
Documents
DOCX files
plemented incorrectly. Sometimes a file specification is followed very closely but something additional is added within the metadata to serve the
needs of a particular implementation.
It is important that metadata only be used as a
guide rather than an absolute, later we will look at
the output of different applications using the same
file format as well as tools and methods that are
available for the reading, extraction and manipulation of file metadata.
Note The above information is not intended to be
a complete list of available metadata for each file
type, it is rather an example of some of the data
that is commonly available within each file type.
Researching of the internal structure of a file container and its supported metadata is required for
a thorough understanding of the possibilities and
limitations of metadata storage for a particular container type.
Much of this data is accessible directly from either your computers file manager. There are also
a plethora of tools available, many third party utilities enable direct viewing and often editing of the
files metadata.
The information displayed within the file manager window within a GUI based operating system is
normally only a small subset of the metadata that
exists and is accessible for any given file. Some is
hidden, reserved for OS usage, some is considered to not be important and is therefore not displayed. But most information that is stored can be
accessed in one way or another. Often, more modern OS features like versioning, journaling and instant search can hold more data than is available
directly through the interface. In most cases there
are tools, applications or techniques which can be
used to display this data.
Windows
Using Windows Explorer we can see a number of
metadata elements from within an Explorer window. This information is configurable too and supports the metadata of many different file types. To
discover what types of metadata can be viewed
through Explorer, try the example given below:
Use Windows Explorer to navigate to the folder
that contains the file types that you wish to examine.
Change the View type to Details
Right click the column headings to display the
following contextual menu
Click the More item at the bottom of the menu
This will open a new window within which you can
choose the type of metadata that you want to display. If Windows supports the file type and that file
UNDERSTANDING FILE METADATA HOW TO VIEW & INTERPRET DATA ABOUT DATA
type contains the metadata that you have selected, you will be able to see the meta contents directly within Windows Explorer.
Ubuntu
Linux systems are a little more limited in the information provide within the standard GUI, although
this can easily be changed. Whilst no specific tool
exists within Ubuntu for metadata viewing there is
the file command.
There are some limitations to file though as it is
not really intended as a metadata analyser, so although you can find out lots of detail about the meta content of a Microsoft Word OLE (.doc) document, there is no metadata available for Microsoft
Open XML (docx) files.
Here is an example of using file to display the
metadata for a newly created word document:
:~/Desktop$ file Sample\ Document.doc
www.eForensicsMag.com
19
20
Spotlight application. Mac OS X systems that include Spotlight also include a fantastic tool for
viewing metadata that has been captured and indexed by Spotlight, mdls. Mdls can be used to see
extended information for supported file types and
there are a lot of supported file types. The output
of mdls is very comprehensive, below is the data
that was extracted from a newly created Microsoft
Word .docx file: Listing 1.
As you can see, whilst the output of mdls is very
detailed, it is not formatted to make for easy reading. Despite the formatting it is still a pretty simple
task to extract the required information from the
output.
Spotlight presents several interesting possibilities for metadata analysis in general but we will
not go into any further detail about that within this
article.
UNDERSTANDING FILE METADATA HOW TO VIEW & INTERPRET DATA ABOUT DATA
Image Files
Image files often contain a large amount of metadata, from camera type, to time stamps, geo location and more. Much of this information can be
extracted by doing nothing more than opening the
file using a text editor or hex editor. Free tools are
plentiful, as are libraries and open source projects,
which can be used to develop your own utilities.
For a quick and simple inspection of a supported file types exifviewer.org has a web based tool
that displays friendly, easy to interpret metadata.
Exifviewer is built upon the Exif2 library.
It is also important to note that many image file
formats can contain a thumbnail of the original image. In most cases this thumbnail will mirror the
full sized image. When it does not comparison can
help to identify potential editing and manipulation.
Many operating systems also cache thumbnails within their File Managers for image previewing purposes. OS caches can prove an important
source for metadata analysis.
Listing 3. An example of metadata extracted using
ExifTool broken down by category
chrissampson$ exiftool ~/Desktop/Sample\
Document.docx
ExifTool Information
ExifTool Version Number
: 9.31
Required Version
: 20
Bit Flag
: 0x0006
Compression
: Deflated
Modify Date
: 1980:01:01 00:00:00
CRC
: 0xb01051e9
Compressed Size
: 397
www.eForensicsMag.com
PDF files
The metadata contained within a PDF document
varies greatly and can depend on what tool created the document as well as the settings for that application. There are also a number of different PDF
specifications that govern the file format, with varying metadata support and implementation. One of
the simplest approaches to extracting the metadata from a PDF document is to open the file in your
text editor or hex editor.
Some metadata from a PDF is also available
within the operating system or via specific tools like
Adobe Acrobat and Acrobat Reader. For a more
thorough examination or a custom implementation, Xpdf can be considered. Xpdf is open source
under the GPL. You can find many pre-compiled
versions of this tool for different systems.
Multiple Format Applications
A particularly useful application for metadata
analysis is ExifTool. ExifTool is written in Perl
Zip Uncompressed Size
Zip File Name
: 1474
: [Content_Types].xml
21
and as such is available for most operating systems, giving a consistent command line interface
across each. ExifTool has support for a huge
number of different file types (which are also expandable) and is an excellent tool for extracting
metadata from common file types. Just like mdls,
the output of ExifTool is extremely detailed, but
unlike mdls, ExifTool can also be used on Windows and Linux as well as Mac OS X. Below is
the output of ExifTool on our Sample Document.
docx file: Listing 2.
Below is the same output from ExifTool, but this
time we have broken it down by metadata source.
As you will see some of the information displayed
by ExifTool is file system metadata and not simply
file metadata.: Listing 3.
ExifTool should be used in conjunction with your
own examination and validation techniques. We
often use ExifTool at TRC Data Recovery when we
are examining a new file type.
UNDERSTANDING FILE METADATA HOW TO VIEW & INTERPRET DATA ABOUT DATA
and Excel, follows the exact same structure as
the docx file, but some of the internal structure is
slightly different. Why not also rename your xlsx
and pptx files to zip and see how they differ.
The internal contents of a docx file are based
upon many XML files (this is why the letter x was
appended to the original doc format file extension,
it also why the standard is known as Office Open
XML). XML files are not all that a word document
can contain, it is possible to have images and other
files that are available as individual items embedded within the file. These items can also be extracted from your renamed docx file. So, this article is all
about metadata, and having used tools like ExifTool
and mdls we already know that our sample file is full
of metadata, how do we find it? Well there are a few
different locations, but the most important metadata
exists within the ./docProps directory as below:
Listing 4. Recursive output of the ls command on our
unzipped docx file
chrissampson$ ls -R
[Content_Types].xml docProps
_rels word
./_rels:
./docProps:
app.xml core.xml thumbnail.jpeg
./word:
_rels settings.xml theme
document.xml styles.xml webSettings.xml
fontTable.xml stylesWithEffects.xml
./word/_rels:
document.xml.rels
./word/theme:
theme1.xml
www.eForensicsMag.com
./docProps:
app.xml
core.xml
thumbnail.jpeg
The core.xml and app.xml contain the metadata that has been extracted by ExifTool in an XML
format, the output of these files from our Sample
Document.docx is reprinted below: Listing 5 and
Listing 6.
So now lets compare the information extracted manually with the metadata displayed within
ExifTool (Table 2).
So, as we can see, there is no great mystery to
determining the metadata for the docx file type.
The same applies to most other file types, all that
is required is a basic understanding of how the file
is structured and what metadata can be contained
<Lines>1</Lines>
<Paragraphs>1</Paragraphs>
<ScaleCrop>false</ScaleCrop>
<Company>TRC Data Recovery Ltd</Company>
<LinksUpToDate>false</LinksUpToDate>
<CharactersWithSpaces>27</
CharactersWithSpaces>
<SharedDoc>false</SharedDoc>
<HyperlinksChanged>false</HyperlinksChanged>
<AppVersion>14.0000</AppVersion>
</Properties>
23
MANIPULATING METADATA
docx. For this example no specialist tools are required beyond a text editor (all of our systems include text editors).
We have already renamed our Sample Document.docx file to .zip in the example above. To follow this yourself, please do the same and extract
the contents. We are going to modify just one of
the metadata fields changing the name of the person identified as the last modifier.
Using the table above we are able to see that
the Last Modified By metadata is stored within the ./docProps/core.xml file, between the tags
<cp:lastModifiedBy> and </cp:lastModifiedBy>. If
we again examine the content of the core.xml file we
can see that the current value for this tag is Christopher Sampson, highlighted in yellow. Listing 7.
ExifTool Output
24
XML tags
Content
Title:
./docProps/core.xml
<dc:title>
N/A
Subject:
./docProps/core.xml
<dc:subject>
N/A
./docProps/core.xml
<dc:creator>
Christopher Sampson
Keywords:
./docProps/core.xml
<cp:keywords />
N/A
Description:
./docProps/core.xml
<dc:description />
N/A
./docProps/core.xml
<cp:lastModifiedBy>
Christopher Sampson
Revision Number: 1
./docProps/core.xml
<cp:revision>
<dcterms:created
xsi:type=dcterms:W3CDTF>
2013-06-09T10:34:00Z
<dcterms:modified
xsi:type=dcterms:W3CDTF>
2013-06-09T10:35:00Z
Template: Normal.dotm
./docProps/app.xml
<Template>
Normal.dotm
./docProps/app.xml
<TotalTime>
Pages: 1
./docProps/app.xml
<Pages>
Words: 4
./docProps/app.xml
<Words>
Characters: 24
./docProps/app.xml
<Characters>
24
<Application>
Microsoft Macintosh
Word
./docProps/app.xml
<DocSecurity>
Lines: 1
./docProps/app.xml
<Lines>
Paragraphs: 1
./docProps/app.xml
<Paragraphs>
Scale Crop: No
./docProps/app.xml
<ScaleCrop>
False
<Company>
Links Up To Date: No
./docProps/app.xml
<LinksUpToDate>
false
./docProps/app.xml
<CharactersWithSpaces>
27
Shared Do: No
./docProps/app.xml
<SharedDoc>
false
Hyperlinks Changed: No
./docProps/app.xml
<HyperlinksChanged>
false
./docProps/app.xml
<AppVersion>
14.0000
UNDERSTANDING FILE METADATA HOW TO VIEW & INTERPRET DATA ABOUT DATA
www.eForensicsMag.com
Template
: Normal.dotm
Total Edit Time
: 1 minute
Pages
: 1
Words
: 4
Characters
: 24
Application
: Microsoft Macintosh Word
Doc Security
: None
Lines
: 1
Paragraphs
: 1
Scale Crop
: No
Company
: TRC Data Recovery Ltd
Links Up To Date
: No
Characters With Spaces
: 27
Shared Doc
: No
Hyperlinks Changed
: No
App Version
: 14.0000
Title
:
Subject
:
Creator
: Christopher Sampson
Keywords
:
Description
:
Last Modified By
: Somebody Else
Revision Number
: 1
Create Date
: 2013:06:09 10:34:00Z
Modify Date
: 2013:06:09 10:35:00Z
Preview Image
: (Binary data 9500
bytes, use -b option to extract)
25
SUMMARY
ON THE WEB
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/
mdls.1.html Mac OS X developer Man page for
the mdls tool,
http://www.sno.phy.queensu.ca/~phil/exiftool/
Chris Sampson is director of UK based data recovery company TRC Data Recovery Ltd. Chris has worked within the
area of data recovery for over 10 years, producing tools and
techniques for the recovery of lost information from all manner
of different operating systems and file types. TRC Data Recovery Ltd primarily provide data recovery services but also
produce software tools for Microsoft Windows and Apple Mac
OS X to aid in data recovery and related matters. Chris is actively involved in research and development projects based
upon the indexing of file types for the purpose of examination,
repair and retrieval of these items from deleted and otherwise
missing states. Current projects include research into the recovery of fragmented multimedia and document files where
no file system information relevant to the files location or fragmented status exists.
ECHNOLOGY
INTELLIGENCE
CONTROL
COMPLEXITY
you
PROTECTION
ISK Are
prepared?
CONTROL
ELECTRONIC
THREAT
CONTROL
FORENSICS
CONTROL
RISK
DATABASE
TECHNOLOGY
OMPLEXITY
kpmg.ca/forensic
ECHNOLOGY
RISK
NTELLIGENCE
OMPLEXITY
RISK
ELECTRONIC
SK COMPLEXITY
YBER SECURITY
NTELLIGENCE
RISK
NTELLIGENCE
COMPLEXITY
COMPLEXITY
YBER SECURITY
ATTACK
INVESTIGATIONS
ELECTRONIC
ORPORATE
THREAT
CYBER SECURITY
RISK
THREAT
INTELLIGENCE
ATTACK
THREAT
CYBER SECURITY
TECHNOLOGY eDISCOVERY
OMPLEXITY
ELECTRONIC
INFORMATION
THREAT
CONTROL
ISK
INFORMATION
TECHNOLOGY
ATTACK
RISK
OMPLEXITY
ELECTRONIC
PROTECTION
NTELLIGENCE
INFORMATION
ELECTRONIC
THREAT
CONTROL
INFORMATION
CONTROL
RISK
COMPLEXITY
NFORMATION
RISK
TECHNOLOGY
ATTACK
RISK
DEMYSTYFING
METADATA
by Mark Garnett
SOURCES OF METADATA
DEMYSTYFING METADATA
Whether a document has been edited for a
substantial period of time, or whether it has
been created by cutting and pasting the contents of one document into another new document.
The metadata for Office files is embedded within
the file and as a result, travels with the document
from place to place. As a result, metadata is a rich
source of information as it is not as volatile as other file attributes such as the file dates and times
maintained by the operating system (i.e. created,
last written and last accessed dates).
INTERPRETING METADATA
It is one thing to find metadata, however it is another matter entirely to accurately and impartially
report on the meaning of metadata. As experts, we
are commonly called upon to undertake an analysis for the purposes of court litigation and it is extremely important that we see metadata for what it
is, not for what our client/s want it to be. As a result, I have outlined some commonly sought after
metadata attributes below along with their meaning and common issues associated with their interpretation:
This metadata attribute is available for all documents created with Office applications and is simply the date that a particular document was created.
Care should be taken when interpreting this date as
it may prove to be misleading if not fully explained.
For example, if a Word document was created in
2010 and then saved using the Save As feature
in 2012 then the newly saved document will rightly
have a created date in 2012, regardless of where
the document was saved (i.e. saving the document
over the old document or to a different location).
Whilst the new document created date is technically accurate, it does not paint a true picture as to
when the document containing the original relevant
information was actually created. If a client was to
be presented with this information, they may form
the incorrect conclusion that the document was created after the fact in 2012 rather than contemporaneously in 2010. This information can also be important when determining if a user has provided you
with the actual document sought, or a copy of the
original document created using the Save As command. There are examples of persons admitting to
the theft of IP material and subsequently agreeing
to return the material only to have returned copies of the original documents rather than the documents themselves.
Revision Number
Put simply, this is the date and time that a user last
saved the document. It is important to note that
this date is not updated if a user simply opens a
document, makes no changes and then saves the
document. This date, quite logically, is updated
when a user creates a new copy of a document
using the Save As command as well as when a
user makes changes and saves the document using the Save command.
29
METADATA ANALYSIS
Metadata can be analysed using commonly available forensic applications such as EnCase (Guid30
DEMYSTYFING METADATA
data value and as a result, draw an incorrect conclusion with respect to a document.
The examination and interpretation of metadata and the subsequent presentation of results is
one of the most common tasks most practitioners
perform. The accurate interpretation, along with a
thorough knowledge of those circumstances that
cause metadata values to change, is of paramount
importance when presenting this information.
There are commercial tools that allow for the relative easy analysis of document metadata, however there are low cost alternatives, such as hex
editors, and the means also exists for an examiner
to develop his/her own tool tailored to their specific
needs.
REFERENCES
[1] http://www.leadtools.com/
[2] http://www.guidancesoftware.com/
[3] http://www.accessdata.com/
[4] http://msdn.microsoft.com/en-us/library/office/aa338205%
28v=office.12%29.aspx
[5] http://msdn.microsoft.com/en-us/library/windows/desktop/
aa380341%28v=vs.85%29.aspx
[6] http://msdn.microsoft.com/en-us/library/windows/desktop/
aa379840%28v=vs.85%29.aspx
[7] http://msdn.microsoft.com/EN-US/library/ms571919
[8] http://msdn.microsoft.com/en-us/library/office/bb448
854.aspx
CONCLUSION
Whilst the names and values contained within document metadata attributes appear, prima facie, to
be self-explanatory, it is clear that there is generally a history (or story) behind each attribute that
provides information as to the life of a document.
Is it the original document or a copy, when was
the earliest time that a document could have been
created and how long did it take to create, are all
questions that can be answered by looking beyond
the metadata value itself. An examiner wields considerable power when presenting metadata results
to clients, for without considerable explanation, it is
easy to see how a client can misinterpret a metaa
Email: auditassociateslimited@gmail.com
Website: www.fincrimes-auditassociates.com
Keep an eye on the website for updates coming soon
EXTRAXTING AND
USING METADATA FOR
A DIGIAL FORENSIC
INVESTIGATION
A STEP-BY-STEP PROCESS
by Marc Bleicher
32
in was the date, time, and geotag metadata. Fortunately for me, privacy mode was off and location
services were turned on when the images were
taken. I recorded the metadata and then ran the
geotag coordinates through Google maps. The coordinates for each of the 14 images were the very
office building we were in. Through a great deal of
additional research and analysis I was then able to
figure out that 11 of images were taken on various
different elevators throughout the building. Fortunately, we had surveillance cameras in each of our
elevators, so using a combination of surveillance
footage and the metadata from the pictures I was
able to place this individual in the elevator proving he did in fact take the photos. I matched the
location, date and time of the images to the video
footage date and time and, of course, his image in
the footage. For the other three pictures I was able
to use the metadata from the phone and correlate
that with RFID logs that tracked employee movement in the building based off their ID badges.
INTRODUCTION
BODY
EXIF View extracted the metadata from the image and below is the metdata:
Scenario
I took a very nasty piece of malware a Remote
Access Tool (RAT) which I identified during an investigation. This file was not originally packed, so
I used UPX a popular malware packer to pack the
file myself. I then used the three tools listed above
to extract various pieces of metadata that would be
helpful during an intrusion investigation.
PEiD
CONCLUSION
Metadata analysis is an important part of any forensic investigation. This article only scratches the
surface of the various different types of files and
metadata that exists. There is no one single technique or tool to use when conducting metadata
analysis. How you proceed depends on what data
youre after and the most efficient tool and process
to obtain it. There also is quite a bit of useful metadata in other file types, including Microsoft Office
documents, PDFs, markup language files such
as HTML and XML, and email headers. For now,
I hope Ive helped you learn the basics so you will
be able to successfully extract data in your next investigation.
METADATA: VIEWING
THE TREES IN SPITE OF
THE FOREST
by Robert Reed
n its broadest and simplest definition, metadata is data about data. What exactly does that mean?
Well like most things, that depends on
your perspective. There are two potential avenues to gather metadata. First,
there are those things that are external
to the file, things like file system data,
MAC times, ACLS, ownership information, and transactional logs. This type
of metadata is clearly outside the files
content. The second avenue to gather metadata is internal to the file. This
type of metadata is stored inside the
file as a function of file or file format
standards. Most people will immediately think of Microsoft Office files or
EXIF and Geo-Tagging information in
JPEG images. There are many file formats that have standards for storing
data about the file inside the file itself.
Some advocate, that metadata is
any information about a file to the ex-
38
INTRODUCTION
First, lets look at some common external metadata and how it may be of assistance in investigations. For the purposes of this section, we will limit
this discussion to log files, subscriber information,
and in the mobile arena, call data records. These
records are metadata in the sense that they are
not files that directly contain the content, but describe how that content was transferred between
disparate systems; thus meeting the loose definition of metadata, data about data.
Log Files
Log files can take many different forms. When configured appropriately, they are created whenever
one system somehow communicates with another
system. Things like event logs, firewalls, proxies,
intrusion detection and prevention systems (IDS/
IPS) all catalog information about the interactions
of systems. These logs are of particular interest
when looking at intrusion and similar hacking
style cases. They are also often critical in incidents
a
An individual is a prospective state sponsored intruder. His target is intellectual property of a major military contractor of a rival nation. It is likely have that
at his disposal are several zero-day exploits. He has
i
www.farstone.com
inquiry@farstone.com
RAM the further from the time of the event the intrusion is discovered, the less likely evidentiary information still resides in RAM. Persistence need not
be established because the intruder has already
made off with the information wanted or needed.
Think of how difficult it would be to discover if
someone had broken into your home by sliding
open an unlocked window, took a picture of something inside your home, and left without removing
or touching anything. When you get home, nothing
is missing and everything is right where you left it?
In the case of zero day exploits the problem is even
worse; it is much like having a master key. You do
not need to leave an attack vector like an unlocked
door or window. An intruder can circumvent the lock
with his unknown exploit and gain entry at his leisure. Persistence is not needed because all your
stuff (Servers and Internet Addresses) are typically
going to be the same place tomorrow that they are
today. The same exploit can be used tomorrow that
was used today. The best way for the intruder to be
discovered is to start making changes to things. The
more things changed (new files or service) the more
likely it is that the target discovers that something is
amiss. The increased scrutiny on the part of the target may then reveal the intruders valuable zero-day
and allow it to be mitigated or patched.
Where is information about the exploit to be
found? Since it is not making direct changes to the
disk or its programs the data will reside only in RAM,
log files, metadata, and possibly the page/swap file.
The swap file presents us with a couple problems.
With the increase of 64Bit systems and large caches of RAM, there is more of a possibility that the
actions never get paged out to the swap file. Also,
the longer out in time we go, the better chance that
the actions may have been overwritten in swap. So
we are left with metadata in the form system and
event logs on the local machine. Logs on the local
machine are suspect because they may have been
altered. This leaves us with transactional, IDS and
IPS logs residing on other systems.
REFERENCES
CONCLUSION
DATA SECURITY
Computer
Forensics Experts
Computer Forensics Services
We are prepared to attend the situation urgency
supporting your needs and delivering our consulting
solutions considering our worldwide cybercrime
knowledge base by:
E-mail: datasecurity@datasecurity.com.br
facebook.com/data.secur.face
@datasecurity1
TOP 10 METADATA
CONSIDERATIONS FOR
NETWORK SECURITY
by Brian Contos
01
There are multiple rules and regulations regarding the collection of data.
For example, many European countries such as France and Germany have
strong privacy laws that limit what can be captured. Note however that even
in countries with strong privacy laws it doesnt necessarily mean that metadata cannot be collected. Some multinational businesses that Ive worked with
utilize technological solutions to collect data automatically and convert it into
metadata but they dont leverage humans to analyze it unless it is security
incident-driven.
Whatever method, technology is used it must be vetted by legal counsel
and inline with organizational policies. It also may require updating employees regarding privacy expectations and general employee awareness surrounding the how and why of the data collection. Without these steps, metadata may be considered illegal or contrary to organizational perspectives on
monitoring. Simply put get permission.
44
02
Encrypted network traffic is becoming more common. In most organizations it accounts for 20-40
percent of the packets and this number is trending
up. The great majority of advanced threats utilize
encryption to bypass security controls, facilitate
command and control activity and steal sensitive
data. As such, understanding how encrypted network traffic is going to be addressed is an important variable to consider.
03
There are several types of metadata that are applicable to network security. For years Security Information and Event Management (SIEM) solutions
took center stage with their ability to ingest logs,
events, alerts from disparate assets throughout the
network. These systems could capture thousands
of logs a second and are still an important part of
network security.
Over the last few years Security Intelligence and
Analytics (SIA) solutions often called SIEM for
04
Equally important to collecting the data is being able to store it. Metadata is usually used for
a combination of real-time and forensic analysis.
But even in real-time analysis metadata that is
stored can improve the analytical process in terms
of event scoring, prioritization, history and impact
analysis. With millions of events a second crossing the wire the packets must be able to flow over
the Ethernet and into the storage system. This is
another area where its not of use if its not there.
www.eForensicsMag.com
While some high level information can still be collected even when encryption is being used, source
and destination IP addresses, certificate information, etc., for it to be of any significant value the
information must be decrypted. Fortunately there
are a number of network security solutions that are
purpose-built for real-time decryption that organizations can invest in. These solutions essentially
operate in the network path, where encrypted data goes in one end and decrypted data comes out
the other for analysis by whatever security solutions need visibility. In addition to purpose-built solutions, there are a number of firewall, proxy and
related vendors that offer decryption. If you are serious about network security metadata you need to
get serious about decryption solutions too.
packets or big data security solutions, have become increasingly common. Instead of thousands
of logs a second, they are designed to collect millions of packets, flows and sessions a second. Because of the volume, velocity and variety of the
packets, solutions designed to collect metadata off
the wire at the packet level need to be able to operate with lossless collection on 2, 10, and even
40 gig networks. When it comes to the analytics
phase, item 8 in this article, an analyst looking at
the metadata results will be at an extreme disadvantage if the packets are missing, files cannot be
reconstructed, and sessions cannot be followed.
The net you cant analyze it if it didnt get captured.
When looking at solutions, ensure that when storing network metadata that data is indexed across a
wide number of parameters so it can later be quickly retrieved. Because there are thousands of network applications each with hundreds of attributes,
it is important to leverage a solution that is extensible enough to store the packets, break them down
into disparate pieces of metadata, and utilize indexing to make it useful after the fact.
45
05
06
07
46
something malicious. This is a bit like a photograph. Within the IPS interface, by pivoting from
the alert to a SIA solution that contains all of the
raw packet and metadata, it is like going from a
still frame to the entire movie since it contains all
information before, during and after the alert. This
type of integration is a must-have for the robust
and cost-effective use of metadata. Time and money can be saved because the integration between
disparate security solutions allows for a great reduction in the amount of time it takes to discover
and remediate an incident and preform root cause
analysis. Your solution should do this by keying off
of metadata attributes such as source and destination IPs, ports, time stamps and hundreds of other
variables. Besides IPS, solutions such as SIEM,
log management, firewalls and anti-malware can
all benefit from integration with solutions that are
focused on raw packet collection and metadata.
08
09
10
CONCLUSION
www.eForensicsMag.com
Brian Contos, CISSP, VP and Chief Information Security Officer within Blue Coats Advanced Threat Protection Group
Brian builds successful security companies and has had multiple IPOs and acquisitions. He is a published author, seasoned
business executive with a proven record of success and a recognized security expert with 20 years of experience. He has worked
with Global 2000 companies and government organizations in
45 countries across six continents. Brian authored two books including Enemy at the Water Cooler Real-Life Stories of Insider
Threats and Physical and Logical Security Convergence, which
he co-authored with former NSA Deputy Director William Crowell. He is an invited speaker at leading industry events like RSA,
Interop, AusCERT, Infosecurity Europe and GFIRST and has written for and been interviewed by industry and business press such
as CBS News, Bloomberg, Forbes, NY Times, USA Today and
the London Times. Brian was formerly the WW VP field engineering at Solera Networks, senior director for emerging markets at
McAfee, chief security strategist at Imperva, chief security officer
at ArcSight, and director of engineering at Riptech. In addition, he
has held security positions at Bell Laboratories and the Defense
Information Systems Agency (DISA). Brian is a Ponemon Institute
Distinguished Fellow and graduate of the University of Arizona.
47
METADATA: What
It Is and Why You
Should Care
by Johnette Hassell, Ph.D., CEDS and Jack Molisani
ABOUT ELECTRONICALLY
INFORMATION
48
WHAT IS METADATA?
When electronic devices store information, the files used normally contain the information itself (such as a
digital photograph) plus additional information about what is stored in the
file. For example, the time a photo
was taken and other information is
typically stored along with the actual
photo.
This addition information is called
metadata, because it is data about
the data.
Word processing documents may
contain information about the last edit, as Word Perfect does, or about the
username of the documents creator,
as Microsoft Word does.
Metadata, however, is not limited
to files in a computer or camera. The
US and the UK say they werent col-
You may know that metadata in documents contain easy-to-see information such as the name
of the author, the company name, and certain
dates. We say easy to see because you can
see and even change that information from within
the program.
To see a simple example of this information, open
a Microsoft Word 2003 or 2007 document and select Properties from the File menu. A dialog similar
to Figure 1 will appear showing some of this information, such as the document Title and Author.
For Microsoft Word 2010, select the Info tab on
the File menu: Figure 2.
A document created on a corporate PC might display more information, such as the company name
and the name of a corporate template (if any). See
Figure 2 for a typical example.
While you may have known you can change what
appears in the Author field, you may not know that
the metadata often includes hidden information,
such as the name of previous authors who edited
the document and the names of the printers used
to print the document.
To see the remainder of the metadata stored in
a Word file:
In Microsoft Word, select Open... from the File
menu.
From the Files of type drop-down list, select
Recover Text from Any File (*.*) and then select and open a Word document, as seen in
Figure 3.
When the file opens, page down to the bottom
of the file to see metadata such as the following (what you see will vary): Figure 4.
In Figure 4, above, you can see the name the document originally had (Administrative details 305
198.doc) and where it was located (on a machine
with user name Johnette Hassell).
Figure 5 shows this document was then saved
under a new name (Administrative details 305.
doc) in a folder on a different computer (E:\cs305.
fall.01 on the computer named hassell):
There is more information you can recover, but
this gives a good example of the type of data Microsoft Word stores. Such information might be critical evidence in a lawsuit, where the metadata might
show how an accused party saved a companys design document to an external hard drive, edited it on
a home PC, then edited it again on a computer at
his/her new (and competing) employer.
DIGITAL PHOTOGRAPHS
COPY MACHINES
SMARTPHONES
turned on, make continuous changes to their storage areas. If your organization is faced with litigation, immediately consult with your corporate attorney and a reputable eDiscovery or computer
forensic specialist about the best way to preserve
all your ESI, including metadata.
If you are an attorney in litigation, be aware of
metadata in your clients productions and include
metadata in your requests for production. The federal rules of discovery are clear about metadata,
but state rules may vary. See the Kroll Ontrack, [7]
and K&L Gates [8] websites for up to date information on individual states rules.
Metadata may have much to tell someone interested in your business. One real estate attorney
handled lucrative casino properties. Many of his
clients did not want others to know of their interest in such properties. Unfortunately, the attorney
used a boilerplate proposal document, repeatedly
saving it under different clients names. The metadata revealed the names of interested parties going back several years; and many of those clients
were competitors.
First, exercise caution when sharing any documents you work with, especially when sharing
them with people outside your organization. Can
you remove metadata or otherwise protect it from
prying eyes? There are tools that can do this, to a
certain extent. [6] But dont forget there is also imbedded metadata, data that is harder to change.
PRESERVE METADATA
Since ESI is easily changed by even simple, innocent acts such as opening a file or booting a computer, special care is needed in managing ESI.
Preserving the original media (such as a memory
card from a camera, the hard drive(s) from a computer, or the files in a smartphone) is the best way
to preserve data. The processes of insuring the integrity of potential evidence is known as maintaining chain of custody.
Other than the original media itself, currently, the
best way to preserve electronic media is for a forensic specialist to make a valid forensic image
[9], an exact bit-by-bit copy of the item in question.
Such images preserve everything on the media
(including all metadata) and are regularly accepted in court proceedings as valid evidence. There
are numerous tools for making such images. Using appropriate tools, these images can be examined without worry about changing the original evidence.
52
REFERENCES
[1] http://bucks.blogs.nytimes.com/2010/06/01/why-photocopiers-have-hard-drives/?_r=0.
[2] http://bucks.blogs.nytimes.com/2010/05/20/the-identity-theft-threat-from-copiers/?scp=1&sq=copier&st=cse.
[3] http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml.
[4] http://gizmodo.com/5901430/these-breasts-nailed-anonymous-hacker-in-fbi-case.
[5] http://www.dailymail.co.uk/news/article-2129257/Higinio-O-Ochoa-III-FBI-led-Anonymous-hacker-girlfriend-posts-picture-breasts-online.html.
[6] See http://en.wikipedia.org/wiki/Metadata_removal_
tool.
[7] http://www.krollontrack.com/resource-library/rulesand-statutes/. (Double click on desired state.).
[8] http://www.ediscoverylaw.com/promo/state-districtcourt-rules/.
[9] Demystifying Computer Forensics, Louisiana State
Bar Association, J. Hassell, Ph.D. and S. Steen, December 1999.
Dr. Johnette Hassell has 30 years experience in computer-related litigation support. A retired computer science professor,
she is a court-recognized expert in computer forensics, eDiscovery, computer science, and data recovery. She is a Certified
eDiscovery Specialist, and serves on the
Association of Certified eDiscovery Specialists (ACEDS) exam and exam preparation committees. Her work is published in
law and technical journals and she is a highly sought-after lecturer in CLE courses. As President and CEO of Electronic Evidence Retrieval, Dr. Hassell provides consulting services
ranging from early case assessment through testimony: http://
www.ElectronicEvidenceRetrieval.com.
Jack Molisani is a Computer Engineer with
almost 30 years experience in software
engineering, technical communicate, and
eDiscovery/computer forensics. He is a
Fellow of the Society for Technical Communication and the Executive Director of The
LavaCon Conference on Digital Media and
Content Strategies: http://lavacon.org.
54
EXIV2
ExifTool
Some Examples
exiftool -a -u -g1 a.jpg (Print all meta information in an image, including duplicate and unknown tags, sorted by group (for family 1))
exiftool -common dir (Print common meta information for all images in dir)
exiftool -T -createdate -aperture -shutterspeed
-iso dir > out.txt (List specified meta information in tab-delimited column form for all images
in dir to an output text file named out.txt)
exiftool -s -ImageSize -ExposureTime b.jpg
(Print ImageSize and ExposureTime tag names
and values)
exiftool -l -canon c.jpg d.jpg (Print standard
Canon information from two image files)
exiftool -r -w .txt -common pictures (Recursively extract common meta information from files
in pictures directory, writing text output to .txt
files with the same names)
exiftool -b -ThumbnailImage image.jpg > thumbnail.jpg (Save thumbnail image from image.jpg
to a file called thumbnail.jpg)
exiftool -b -JpgFromRaw -w _JFR.JPG -ext
NEF -r. (Recursively extract JPG image from all
Nikon NEF files in the current directory, adding
_JFR.JPG for the name of the output JPG files)
exiftool -d %r %a, %B %e, %Y -DateTimeOriginal -S -s -ext jpg. (Print formatted date/time for
all JPG files in the current directory)
exiftool -IFD1:XResolution -IFD1:YResolution
image.jpg (Extract image resolution from EXIF
IFD1 information (thumbnail image IFD))
exiftool -*resolution* image.jpg (Extract all
tags with names containing the word Resolution from an image)
exiftool -xmp:author:all -a image.jpg (Extract all
author-related XMP information from an image)
exiftool -xmp -b a.jpg > out.xmp (Extract complete XMP data record intact from a.jpg and write
it to out.xmp using the special XMP tag (see the
Extra tags in Image::ExifTool::TagNames))
exiftool -p $filename has date $dateTimeOriginal -q -f dir (Print one line of output containing
the file name and DateTimeOriginal for each
image in directory dir)
exiftool -ee -p $gpslatitude, $gpslongitude,
$gpstimestamp a.m2ts (Extract all GPS positions from an AVCHD video)
exiftool -icc_profile -b -w icc image.jpg (Save
complete ICC_Profile from an image to an output file with the same name and an extension
of .icc)
CONCLUSION
www.eForensicsMag.com
Dr. Sameera de Aliws has over 20 years of experience in Information Technology with emphasis on Information Security
and Consulting arena. Key assignments included security assessments, security architecture, business and systems analysis, and secured network/software design. Client base included public utilities, aerospace, financial institutions, health
maintenance organizations, educations, law prosecutions,
universities, militaries, police, telecommunications providers,
retail, distribution, and manufacturing businesses in both private and government (Local/Global).
57
METADATA IN DIGITAL
FORENSICS
by Bert Moss
ABOUT METADATA
Simply put, metadata can be described as data about data. This descriptive information can be about
a particular data set, object, or resource, including its format, when
and by whom it was collected. Metadata can describe either physical or
electronic resources. Note: The process collecting metadata is also creating metadata traces.
The essential concept of metadata has always existed since the
collection of information or data began. An example of this concept can
be found in a public library system,
where information in library card catalogs serves as a collection management and resource discovery tool
58
METADATA IN FORENSICS
Note
Keep in mind, the tools listed above both commercial and free, have far greater features than just
the analysis / extraction of metadata.
ABOUT THE AUTHOR
Its not
about data.
Its about
meanIng.
If you think mobile forensics is just about
extracting data think again. Its not only
what you get, but what you do with it that
really makes the difference.
XRY has an intuitive GUI thats easier to
use, has better display capabilities and
superior analysis functionality.
msab.com