What Evidence is Obtained Through Computer Forensics?
By Todd L. Dietrich and Gregory Fordham
(Page 2)
1. Understanding Normal Files and Their "Meta-Data"
Although system files and application files are routinely used during a forensic examination to assist in painting an overall picture, the likely files of interest are going to be user created and not related to the system or applications. Most forensic tools are capable of using one or more hash databases to sort out known system and application files, and eliminate them from the examination. Doing so saves time both in initial processing and during the analysis.
What is metadata?
The clichéd definition is “data about data”. However, understanding what metadata is, and what it can provide you to possibly help win your case, is a bit more complex. Metadata can be considered biographical information about the file, as it is unique to that file. Metadata will fall into one of two categories: internal or external.
External metadata is actually stored by, and in, the file system not the file itself. While this information is often referred to as metadata, a more accurate description would be file system data. The common analogy about the file system is that it is like the card catalog in a library. The analogy is commonly used because it is very accurate. A card in the card catalog will relay the title of a book and its location in the library. The card will also provide additional information about the book including the author, date of publication, total pages, whether the book is fiction, historical, reference or children’s etc, and there may even be a very brief description of the book. Likewise, an entry about a file in the file system will contain very similar information.
You can view this data by right clicking on a file in Windows Explorer. You will see an option to view the file’s properties. If you click this option, and view the General Tab. The information available on the General Tab will be the same for all files, no matter the type. As can be seen in the picture below, this information includes the file type, which application opens the file, its location, its size both logically and physically, its Modified, Access and Create (MAC) dates and its attributes.
In addition to the General tab described above, some files also contain additional tabs. In the case of Microsoft Office, one of these tabs is a Custom tab. Users can insert custom properties which can be viewed here, or if an external document management program is used, this tab can be used to view information stored by that program. An overview of this tab can be seen in the picture below.
 |
 |
Many type of files, including all of the Microsoft Office file types, contain a Summary tab. The Summary tab is where you can view some of the internal metadata in a file. This tab contains a “Simple” view which contains a minimal amount of information, such as the title and author and some additional fields. This information can be seen in the picture to the right.
The Advanced view provides considerably more details about the file, and is the most complete collection of internal metadata that can be viewed without specialized tools. In addition to the Title, Subject, and Template used, the information available here includes such things as: numerous type of “counts, as well as, the Windows user account that authored the file, the Windows user account that last saved the file, the revision number, the company to which the application is registered. Also displayed are some dates that are internal to the file and not tied to the file system. These include: the actual date the file was created and the last time it was edited. A snapshot of the information available from the Advanced view can be seen below.
|
 |
 |
Other types of metadata include special data stored within a file that is hidden from normal view. This type of data is actually called embedded data, and is also considered metadata. It can be data that an author has deleted but, the data is kept just in case they want to undelete the data. It may be the formula in a cell of a spreadsheet. It may be a macro. It could be marked changes in the draft of a document. None of this data would be visible or present in a printed copy of the file. However, it does exist, and is part of the file itself.
Information contained in the headers of emails is also a type of metadata. This usually consists of message tracking information that accompanies an email message. The headers might identify the sender’s Internet Protocol (IP) address and the mail client used. This is often some of the most important evidence with regard to emails, and it will not be present in printed copies an email message. In order to view this information, you must obtain the evidence electronically, preferably in a forensically sound manner.
- Which files contain metadata?
All files have at least external metadata, or as described above, file system data. Almost all files, excluding plain text, or .txt files, have some level of internal metadata. The file types associated with Microsoft Office, .doc, .xls and .ppt, are renowned for having numerous metadata fields.
|
- What types of information can be found in metadata?
Beyond the easily visible data described above, Microsoft Office files contain several metadata fields that can only be retrieved with specialized tools. These fields include among other things: the last Windows user account to actually edit the file, the last Windows user account to even view the file. Yes, simply viewing a Microsoft Office document will change internal metadata and thus alter the file. A “simple viewing” means opening and closing the file with no changes whatsoever. The image to the right shows the capture of the metadata for the same file used in the above examples.
2. What You Can Learn From E-Mail, Appointments, Contacts and Journal Entries
Email, Appointments, Contact and Journal entries are all components of Microsoft Outlook, and all can reveal information that may not be found elsewhere. For instance, if you use a typical e-discovery vendor to harvest all the emails from the computer of your client's former employee who just left to join the competition, you will get his emails. However, what if he was extremely fastidious in cleaning any traces of his contact with the competition from his inbox, sent items and deleted folders, you'd come up empty handed. You'd probably miss that he had the competition's CEO in his contacts.
|
 |
Or let's say the opposing side produces just his emails from the computer he is now using at the new company. You might completely miss the fact that he has your client's entire contact list loaded in Outlook on that computer. It is rather simple to
create a .pst file with just contacts, slip it on a USB storage device, or store it in his Gmail account, using some free tools that are available which allow you to turn a Gmail account into a 2-3GB online storage repository. Once he's at the new company, he accesses and downloads the .pst file from Gmail. He then imports the .pst into his current Outlook and just like that, he's got all his contacts from his old company.
The broader point here is to truly focus on the systems and programs being used, and to use them to your advantage. If Outlook is being used, there is a wealth of information available beyond just emails. It may not be relevant; on the other hand, it may contain traces of the all important smoking gun. You'll never know if you simply ask for the emails. |
< Previous Next >
Printable Version
|
