Digital Evidence Metadata

Digital Evidence Metadata

The term metadata has been creeping from technology circles into public safety over the last 15 years. The reason for that is because of the continued emphasis on technology and digital evidence to capture criminals. Between agency use of digital tools, and criminals use of technology to further their efforts, metadata plays a correspondingly important role in evidence, and in proving guilt or innocence in court. But for the uninitiated, the term still seems like drivel. Today, we aim to provide a basic understanding of digital evidence metadata. But to make sure we start this off as confusing as we possibly can, let’s show you the standard definition of metadata.

Metadata Definition

A set of data that describes and gives information about other data.

It’s like the people who came up with the idea of metadata we’re purposely trying to confuse the public. But one way to get a grasp on what metadata is, is to consider a library card from the Dewey Decimal System. Each card represents one book title, and contains categorical information about that title, to include author, genre, year published, the publishing company, where the book is located within that given library, and so on. The key difference is, that while we can look at a library catalog card physically with relative ease, metadata is hidden within the respective electronic file in question. It takes some technical skill to retrieve metadata, but it is extremely easy to achieve. We’ll continue by explaining digital evidence, as known by the court system in the United States:

Basic Types of Digital Evidence

Courtrooms in the US define digital evidence in three categories:

Machine-based Digital Evidence

With this type of evidence, this evidence that was solely created by a machine, be it a computer, a cell phone, a smart television, a camera, and so on. Whatever the device, it produces digital evidence on its own, that is unique to the device itself. The test of this type of evidence in court is simple, in that it only must be proven that the device was working properly at the time of the evidence it produced. The difficulty is linking that data production to a human. Essentially, putting a person in front of the device, typing, or manipulating. But once the activity has been established, and the person has been tied to it, it’s usually very easy to establish what they’ve done with the analysis of metadata, which serves multiple purposes of explaining what was done, how it was done, and with what device.

Human-created Digital Evidence

The terminology may seem redundant when we look at our previous explanation for machined-based digital evidence. However, what this term is acknowledging is the work of a person who discovers the digital evidence after the fact. This could be a spouse, a neighbor, even a stranger, or a trained professional, most likely with an IT background. By some established means these people have created the basis of a complaint concerning a crime by a person through digital means, and have since supplied that material to us. It’s important to note that the courts will only recognize this information as evidence if it’s presented by the person during proceedings, or accepted by the court under hearsay exception.

Recovered Digital Evidence

This is probably our easiest definition to understand, which is the evidence we recover, or our professional technicians do. Getting back to our human-created digital evidence, the requirements of presenting this evidence is two-fold. One, you need the witness who can attest to this evidence being related to the suspect, and our staff needs to be able to testify to validity of that evidence, including collection methods. Of course, if the scenario involves a personal device of the suspect, and we have the capabilities of putting the device and its use in the suspect’s hands without the corroboration of a third party, that works too, there’s plenty of recent cases where that has happened, particularly with cell phones, as many agencies have invested in their own personnel to recover data immediately off cell phones in the possession of suspects. Examples of Metadata One of the most common forms of digital evidence being introduced into court is email. Emails combine two types of digital evidence, machine-based, and human-created. The headers in an email are machine-based code, whereas the text fill lines are human created. When you combine these two sets of data, it helps form a picture of not only what was communicated, but where it originated from, as the machine-based portions of the email in code are unique to the device they come from. Most people don’t know this, but a true email header contains so much data in fact, that usually, a simple command to unhide it will reveal everything about the email, including where it originated from, down an IP address. That can be useful if the email originates from a unique domain. But, in many cases, use of a service provider like Gmail means that the IP address will simply track back to one of Google’s shared network sites. In those instances, looking at the server name where the email originated from can help narrow down what type of service was used to send the email. One way of finding the server name in the header is to locate a section called “Message-ID.” It will have a unique numerical code attached, which represents the specific email you are looking at, relative to all email sent for that server. The next part of that line of language will have an @ symbol, followed by the server name. For argument’s sake, a general structure might look like “wx258128d.serverhost.local” and that is what we can use to narrow down where the email came from. We can use that server name to find out where it originates from, like a third-party provider of Microsoft enterprise products, like Outlook, or a company that hosts business clients directly. There’s a lot more scenarios that could be discovered, but the point is that this most basic version of metadata, that does not require a search warrant, can be used to narrow down suspect location and identifying information. It won’t necessarily solve the crime or who did the crime. But if this one piece of metadata can give us this much information, imagine what else even more metadata can provide? And the best about metadata is that it’s all used to authenticate. So, if something is wrong with the data itself, a trained expert can point it out right away, but they can also tell what is corrupted and what isn’t, which means that all is not necessarily lost in those instances.

Another common example is photographs. Whether it’s photographs of a crime scene, or photographs of evidence found at a separate location, or photographs of the victim, they all contain metadata, and as such, we need to know where it is and what we can garner from it. For one, most cameras that operate in modern digital principal store GPS data of where each photo is taken. We recently conducted an in-house test using a random sampling of photographs with corresponding written descriptions pulled from the internet. In one notable instance, we found a photograph where the owner was purporting the photograph to be from a specific area of Virginia. We looked at the photo and did not agree with their description. We downloaded the photograph and reviewed the GPS data found within the metadata set of the photograph, and found that the coordinates in the photograph aligned with an area of California. Perhaps the owner wrote the description for a different photo and accidentally placed the photo of California by mistake. But the point is, that the photograph’s metadata told us an accurate, and different story than that of the person retaining the photograph. Imagine how that kind of indisputable information may assist in a criminal investigation. Date and time are also attached to photographs, but we don’t find this data to be reliable, as most cameras have settings where the user can manipulate the actual time and date. Cell phones are harder to do this with, but there are cases where it’s happened. File size of the photograph, and file type also fit into our metadata definition, and then there is Exchangeable Image File Format, or Exif data. We don’t have enough space here to discuss Exif data, we will safe that for another article.

Arsonist Caught by Metadata

In December 2014, detectives with the Philadelphia Police Department arrested Leonard Monroe after a series of bizarre arson attempts, that involved Molotov cocktails being placed between storm doors, and front doors at several rowhouses along East Coulter Street. While the crime itself is rather unusual, how the detectives were able to put it together gives us a peek into the future with metadata. Monroe had developed some sort of disagreement with women who lived at the respective houses, whom he had child in common with. Something that is not known now, is why Monroe had domestic issues with all the women at the same time, nor the odds that the women would all live on the same street. Regardless, what was proven out using metadata, was that Monroe downloaded an app for his cell phone that allows a user to message from their phone with a different phone number tied to the message, rather than the originating number assigned to the cell phone. For victims, especially those involved in domestic quarrels, this can be extremely frightening. Because their abusers can be emboldened to send threats, demean, or otherwise harass their victims. The detectives at PPD were savvy when it came to identifying technology and how it’s use is recorded. They filed subpoenas for records of the number, once they identified the carrier. After that, they discovered that the number in question was linked directly to Monroe’s cell phone. Monroe is currently on trial, so there is only cursory information available on his arrest, but when consider how metadata works, and the information provided concerning how detectives did pinpoint Monroe and his activities through his cell phone, one can see how metadata ultimately tells the story, even if the suspect does not. Keep in mind, Monroe is innocent until proven guilty.


This is a very basic overview of metadata, and though the examples given are few, we hope this introduces the topic of metadata in a controlled and measured way, so that you can take this knowledge and expand upon it on your own. What is clear is that metadata helps us clear up investigative issues, can corroborate certain accounts of actions, and can be used to pinpoint suspect activity, and overall responsibility for a given action. It takes research, reading, and application of that knowledge to get the most out of metadata. Some digital evidence management systems automatically pull metadata from all digital files and make it easily searchable by the user. The more you use metadata, the more you’ll find how it can best work for your agency in your work, even beyond authentication, identification, and elimination.

Be safe out there!

Related Reads