What is Metadata?
Metadata is often described as “data about data” and is used to provide information about a specific file or document. Computer forensics experts use metadata to understand what activities were transpiring on a digital device such as a computer. Most metadata fields are hidden and not easily seen or accessible by the end user. Sometimes individuals make an effort to alter or purge metadata. When a person tries to cover his or her tracks by tampering with metadata, inconsistencies across various metadata points can sometimes reveal clues of evidence tampering or destruction of crucial discovery. Only an expert skilled in forensic examinations has the necessary skills and experience to testify credibly in a court of law about computer evidence tampering. It is important that you retain a skilled and experienced forensic expert to preserve the metadata through forensic imaging or other industry accepted forensic methods and perform the necessary metadata analysis for your matter.
Examples of metadata include
- File name
- File extension
- File size
- Hash value
- Date last accessed
- Date created
- Date last modified
Common types of metadata
- Application metadata
- Document metadata
- File System metadata
- Email metadata
- Embedded metadata
- User-Added metadata
- Vendor-Added Metadata
A complete description and examples of each type of metadata are available in The Sedona Conference® Commentary on Ethics & Metadata.
Metadata is important no matter what type of investigation you are involved in. For example, electronic medical records metadata is crucial when investigating whether a medical practitioner altered a patient’s medical record to reflect information that isn’t accurate. A more detailed analysis of metadata’s role in healthcare is available in “Electronic Medical Records: Metadata as Evidence in Litigation” an Illinois bar article co-authored by Lee Neubecker, President of Forensicon.