How Forensic Specialists Solve Crime Through Metadata
Data Beyond the Data
As the variety of data is developed throughout various means in society, there have become standards for organizing this data. Metadata is a type of information that works as a signature in your files’ background, and it contains a great deal of information. It can show who created the file, when, what time, and even where. You should always be concerned as any data you post online, including your cell phone images, contain this type of information. Posting a simple photo, you took at home on your cell to Facebook, can mean that you have just given the world your private details, including your home address.
Metadata is a term used to describe the information packet attached in the background of your files. To break it down, ‘Meta’ means ‘beyond.’ It is a concept that gives meaning to what is attached. In other words, it can mean ‘data beyond the data.’ The theory goes back hundreds of years, and before computers, it would relate to what we used to know as the card catalog at the library. These cards would contain specific information that would allow you to search the library and find the information you were looking for. It is the same concept, only on computers and the internet, this background information is how search engines like Google and others dig through to find the data.
Forensic Specialist in Metadata
Today we think of crime-solving as detectives follow a paper trail to solve a mystery, gain information, or solve a crime. But much of today’s data is digitized in some form. It requires highly trained forensic metadata specialists to look over the trail left behind as a digital fingerprint.
Digital files have their way of identifying the individual that created them. These markers are how forensic specialists put together the details of who made them, when, and where. Here are some examples of the types of data that are hidden in many digital files.
- File Name
- File Extension
- File Size
- Hash Value
- Date Last Accessed
- Date Created
- Date Last Modified
- Application Metadata
- Document Metadata
- File System Data
- Email Metadata
- Embedded Metadata
- User-Added Metadata
- Vendor-Added Metadata
On most computer systems, simply right-clicking on a file will give you ‘get info.’ This action demonstrates how easy it can be to look at the metadata of digital files. The returned information should be a display that contains the files’ signature or fingerprint. It can include all the data mentioned above.
Depending on the document or file being created, some applications offer the capability of changing the recorded metadata on the information you produce. While this is the type of metadata that the user can access and often change, the fact is that a large portion of metadata is recorded about the user’s actions in many other areas of the system. Subsystems and other applications can record the metadata elsewhere in the system, which is what forensic specialists use to compare and see any inconsistencies. The type of data found in subsystems generally requires a highly trained professional to locate.
Trails Left as Clues
Forensic specialists can dig deep and find trails of digital signatures left as clues to what was initially stored on a computer. Some criminals and others for privacy reasons will attempt to cover up, remove, or modify any metadata attached to their digital files. You can review the article EXIF Data Can Talk if you would like to remove metadata such as GPS locations in your photograph or image files.
An expert in computer forensics would be able to do a deep dive into the files of a system and discover if any metadata has been tampered with or removed. By comparing data from a larger batch of files, an expert will notice any significant inconsistencies in the data and know if something is amiss. The data experts can tell when the data was modified, and most likely by whom.
A technique often used to study the changes made to metadata is to create a mirror image duplicate of the hard drive. This method is commonly referred to as Forensic Imaging. Any analysis is built on duplicate data. This way, it preserves the original data or drives for possible future research or further investigations.
To create a forensic image requires a bit-by-bit, sector-by-sector copy is made of the original physical storage drive. This copy will include all files, folders, and even the free or slack space available. These forensic images include far more than the data currently visible to the operating system. It also gives details on deleted files and pieces of data left behind in the free space.
Forensic imaging is just one tool in the computer investigation toolbox. Computer investigators use a variety of analysis techniques to gather evidence presented by legal representatives in a court of law. A variety of software packages and applications can be used to create this type of forensic image of the content of a system or digital files.
Some applications will create an image backup, but these are not complete copies of the device. Specialized forensic software is used to be sure that the image created for the study is complete. For those not certified specialists, there are free disk imaging tools that can be used to create duplicates of the data and later used as a backup of data in case of a significant loss.
One of the best free imaging backup applications available is the AOMEI Backupper. This application is easy to use for both beginners and experienced users. This user-friendly application offers options, including image disk drives, partitions, and entire systems. It included files and folder backups. One of the top features of this free software application is that it offers an option for encrypting your data. It provides a variety of options for larger backups: sector optimization, shadow copying, GPT disk, and UEFI boot support. GPT or GUID Partition Table is a description of the physical layout of partition tables or the physical storage device. UEFI or Unified Extensible Firmware Interface refers to the standardization of software interface between operating systems and platform firmware. The AOMEI Backupper also includes differential and incremental backup modes. It offers a great deal of functionality as a free program not covered in much costly backup software packages.
There are several different types of free system backup software applications, but not all are created equal. Windows back create image backups, but these are not complete copies of the physical device, and some data, files, and metadata can be lost or corrupted.
Many forensic data detectives use their skills to solve cybercrimes. This data is done through a thorough investigation of the metadata and files within a given system. Additional evidence is often discovered that the user or criminal thought they might have deleted. The incriminating data can be recovered with forensic or file recovery software unless the data is removed and the partition overwritten with a new form of data.
The concept of digital forensics follows the definitions of evidence that follow forensic principles such as Edmond Locard’s exchange rule. The law states, “whenever two objects come in contact, a transfer of material occurs. For example, when a killer enters and subsequently departs a crime scene, the attacker could leave blood, DNA, latent prints, hair, and fibers, or pick up such evidence from the victim. The concept applies to digital evidence, as well. Metadata, register keys, and log files are equivalent to courtroom evidence such as fingerprints or fibers.
Experts are trained to follow the types of data left behind by the user. The way a user utilizes information and communication technology can provide clues to the identity of the user. It can contain direct metadata information that can identify the user by name, geological location, and types of files created or modified. Even if the data is altered, forensic criminologists are trained to understand the psychology behind how information is used. According to the UNODC (United Nations Office on Drugs and Crime), the digital footprint or evidence trail can help these experts learn “information about them, including age, gender, race, ethnicity, nationality, sexual orientation, thoughts, preferences, habits, hobbies, medical history and concerns, psychological disorders, employment status, affiliations, relationships, geolocation, routines, and other activities.”
The type of data that can be obtained can be written content, which reveals the user. The data of content can include written communications or even spoken words in audio or video format. These files can lead investigators to text messages, emails, and the user’s social media content. Even the digital data stored by gaming consoles, a computer system, can reveal a great deal of information about the users of that system. The device users leave a digital trail of names, email addresses, credit card data, internet browsing history, and other varied content sources.
For instance, gaming consoles, which operate like personal computers, store personal information about users of the devices (e.g., names and email addresses), financial information (e.g., credit card data), Internet browsing history (e.g., websites visited), images, and videos, among other data. This type of data has been used by experts to solve and prove cases of child sexual exploitation and to transfer online child sexual abuse materials.
Other forms of smart technology, digital devices, and other home appliances that interact with the Internet of Things or IOT, can provide the information needed to solve crimes. One of the essential items recently has been to present the data in court cases collected by home gadgets like the Amazon Echo with Alexa voice service. Evidence from an Amazon Echo was entered into court when attempting to solve a murder case in the United States (Maras and Wandt, 2018). Charges were ultimately dropped, but it demonstrated that digital data as a form of evidence could come to form many sources and new digital technologies used in American homes and homes worldwide.
Ultimately an electronic trail of content and metadata can be consequential to solving crimes and finding criminals who have left behind their digital fingerprints. The technology that we use every day, our computers, our smart appliances, and even gaming systems keeps track of our activities. As an advanced culture of humans, we should learn more about the technology we use and how it tracks our behaviors, identities, and other personal information. On the one hand, we need to be very cautious about the metadata released to the public for privacy concerns, but also aware of how it can be used to work against us in a court of law. Hopefully, any activities we do are not considered criminal, but this data can be used for a variety of legal reasons. In the case of Maras and Wandt, the data obtained helped prove the innocence of the person being charged. It is up to forensic specialists to be wary of how the data can be manipulated, altered, or corrupted to keep from making mistakes in the courtroom that could allow some criminals to go free or even purposely used to set up an innocent individual. Learning all you can about your electronic trail can help you understand what information you are sending out in the world about yourself, your life, your family, and your home.