October 7th, 2010
Metadata is often referred to as “information about information”, basically information about the creation, manipulation and storage of the document it refers too. Before the explosion of Electronic documents in the business world, nearly all contracts, agreements and business documents were written on paper. Paper contains very little information other than what’s written on it and is often referred to as WYSIWYG “What You See Is What You Get”. The only metadata would normally be included is on the page itself i.e. author, date, signature.
With electronic documents the metadata can contain comprehensive information about the document including date and times, author, revision history, software used to create the document and many more information fields. The metadata can be broadly split into two areas;
- external metadata, ( file dates and times, owner information and access controls that can be affected by copying, moving and accessing the files)
- Internal metadata, (last saved, last printed date and times, author, revision history, etc. The internal metadata is not usually affected by copying, moving or transferring the file)
An important aspect of many metadata forensic investigations relate to the date and times of when a document was created or modified. The date and time values written into the metadata inherit the date and time from the host computer. Therefore if the date and time of the computer is changed to reflect a different time any created or modified document will inherit the changed date and time.
A good example of how the tampering with the dates and times of an important document can affect the metadata was highlighted in a recent case that a forensic analyst provided testimony to the court.
This case involved a Microsoft Word document that was created to form the basis of a legally binding contract between the two parties. The analyst was asked to carryout initial analysis and testing of the meta-data of the documents. This initial analysis focused on the ability to create, edit and print a number of contract documents without changing the meta-data values of the created, saved and printed time values of the original document. The findings of the initial analysis triggered the other party in the matter to produce a newly discovered document that claimed to be the original contract template, used to create the disputed contract that had been created in the early summer of 2005. The creator stated this to be the documents created date and this was supported by the documents’ metadata.
The Forensic analyst was engaged to perform analysis of the new document to determine if the document’s metadata values were correct and reflected the actual date and time of the document templates creation. Through more research and testing it was established by the Forensic analyst that the date and time information of the meta-data fields could be altered by the document creator adjusting the date and time value of the computer creating the document in question.
Therefore it was feasible that the documents’ metadata date and time fields could be manipulated by changing the date and time of the computer to fit the time frame of early summer 2005.
Further analysis of the metadata fields of the Microsoft Word contract template document focussed on a metadata field called “Version”. The display of this field is dependent on the metadata viewer in use and is not always displayed by metadata viewing software.
Again further testing and research found this meta-data field contained version information that related to the version release of the Microsoft Office Software that was used to create the document. The findings revealed that if a document is created with Word from the Microsoft Office suite XP the version number would start with 10, Microsoft Office suite 2003 the version number would start with 11 and Microsoft Office suite 2007 the version number would start with 12.
The contract template Word document in question is alleged to of been created in early summer 2005 and the version field contained the value 12. This indicated that the document was created with a version of the Microsoft Word program from the Microsoft Office 2007 software.
This value in the version field created a problem for the document creator. As according to the metadata the contract template was created using the Microsoft Office 2007 Software which was not released until November, 2006. The findings therefore suggest that the document in question was created with a version of the Microsoft Word program that had not been released at the time the document metadata was showing. The metadata dates and times the document was created, last saved and last printed were from the early summer of 2005. This was an indicator that the date and time of the computer used to create the contract template document had been changed to reflect the early summer 2005 date.
The importance of metadata in forensic analysis cannot be stressed enough, as it can make or break the case.
Consider what your metadata is revealing about your documents …
This entry was posted
on Thursday, October 7th, 2010 at 09:01 and is filed under Thoughts & Comments.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.
EnCE
HTCIA
POLCYB
Man Verses Metadata
Metadata is often referred to as “information about information”, basically information about the creation, manipulation and storage of the document it refers too. Before the explosion of Electronic documents in the business world, nearly all contracts, agreements and business documents were written on paper. Paper contains very little information other than what’s written on it and is often referred to as WYSIWYG “What You See Is What You Get”. The only metadata would normally be included is on the page itself i.e. author, date, signature.
With electronic documents the metadata can contain comprehensive information about the document including date and times, author, revision history, software used to create the document and many more information fields. The metadata can be broadly split into two areas;
An important aspect of many metadata forensic investigations relate to the date and times of when a document was created or modified. The date and time values written into the metadata inherit the date and time from the host computer. Therefore if the date and time of the computer is changed to reflect a different time any created or modified document will inherit the changed date and time.
A good example of how the tampering with the dates and times of an important document can affect the metadata was highlighted in a recent case that a forensic analyst provided testimony to the court.
This case involved a Microsoft Word document that was created to form the basis of a legally binding contract between the two parties. The analyst was asked to carryout initial analysis and testing of the meta-data of the documents. This initial analysis focused on the ability to create, edit and print a number of contract documents without changing the meta-data values of the created, saved and printed time values of the original document. The findings of the initial analysis triggered the other party in the matter to produce a newly discovered document that claimed to be the original contract template, used to create the disputed contract that had been created in the early summer of 2005. The creator stated this to be the documents created date and this was supported by the documents’ metadata.
The Forensic analyst was engaged to perform analysis of the new document to determine if the document’s metadata values were correct and reflected the actual date and time of the document templates creation. Through more research and testing it was established by the Forensic analyst that the date and time information of the meta-data fields could be altered by the document creator adjusting the date and time value of the computer creating the document in question.
Therefore it was feasible that the documents’ metadata date and time fields could be manipulated by changing the date and time of the computer to fit the time frame of early summer 2005.
Further analysis of the metadata fields of the Microsoft Word contract template document focussed on a metadata field called “Version”. The display of this field is dependent on the metadata viewer in use and is not always displayed by metadata viewing software.
Again further testing and research found this meta-data field contained version information that related to the version release of the Microsoft Office Software that was used to create the document. The findings revealed that if a document is created with Word from the Microsoft Office suite XP the version number would start with 10, Microsoft Office suite 2003 the version number would start with 11 and Microsoft Office suite 2007 the version number would start with 12.
The contract template Word document in question is alleged to of been created in early summer 2005 and the version field contained the value 12. This indicated that the document was created with a version of the Microsoft Word program from the Microsoft Office 2007 software.
This value in the version field created a problem for the document creator. As according to the metadata the contract template was created using the Microsoft Office 2007 Software which was not released until November, 2006. The findings therefore suggest that the document in question was created with a version of the Microsoft Word program that had not been released at the time the document metadata was showing. The metadata dates and times the document was created, last saved and last printed were from the early summer of 2005. This was an indicator that the date and time of the computer used to create the contract template document had been changed to reflect the early summer 2005 date.
The importance of metadata in forensic analysis cannot be stressed enough, as it can make or break the case.
Consider what your metadata is revealing about your documents …
This entry was posted on Thursday, October 7th, 2010 at 09:01 and is filed under Thoughts & Comments. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.