Unlocking System Metadata
Gregory L Fordham
March 2009
Metadata continues to be a subject of considerable interest. While many practitioners are familiar with what is known as application metadata they are less familiar with system metadata.
Application metadata is found within the documents themselves. It is created by the applications that are used to create and manage those documents.
System metadata, on the other hand, is created by the computer system on which documents are created and managed. System metadata is found in files that are separate and distinct from the documents.
There are numerous types of system metadata. The most common include things like file system information, event logs, file pointers, and deleted file data.
File System Information
If computer documents are like books in a library then the file system is like the card catalog. The file system, therefore, contains various attributes about the files on a computer such as names, locations, types, and date stamps.
When system metadata is being discussed this is the kind of metadata that is often considered. Understanding these various date stamps and other attributes can provide considerable insight into the lives of particular files as well as how a computer was used.
Event Logs
Event logs are created by the operating system. Various programs may also create their own kind of logs.
Event logs created by the operating system are lists reflecting that certain actions occurred. At the time these actions are logged, the date and time when they occurred is also captured.
When these date stamps are ordered in the sequence that they were entered in the event log it is possible for analysts to spot out-of-sequence date stamps and instances when the system clock has been changed.
Thus, event logs are important system metadata that not only shows how the computer was used but whether there are any instances when date stamps should be considered suspect.
Thus, event log system metadata can betray spoliation schemes as well as other weaknesses in date stamp reliability.
File Pointers
File pointers come in a variety of forms. The most common form is the link file—files with the LNK extension.
Since link files are created whenever documents are opened and viewed, the examination of link files can help to differentiate when files were opened versus simply “touched”.
Although link files are small they capture useful information about the files that they reference like their path and date stamps.
The link file is also another attribute that is often overlooked when files are deleted. Thus, searching for unmatched link files is an effective means of proving spoliation.
Deleted File Information
When files pass through the Windows recycle bin there are a few pieces of information that are captured about those files in either a log known as the INFO2 file or in file pointers. The particular data elements that are captured are things such as the location where the file was stored and to where it can be restored.
In addition, the date and time of the deletion is captured. In fact, this is the only place where the actual deletion date and time is captured even though it may also be reflected in other system metadata artifacts.
Thus, examination of the INFO2 file and/or deleted file pointers are another good source for spoliation detection.
Summary
In the end, system metadata has considerable evidentiary value. It can validate the accuracy of other date and time stamp metadata and it can betray data hiding and other spoliation schemes.
While application metadata can be obtained simply by requesting documents in native form, system metadata is contained in files that are separate from the documents themselves.
Consequently in order to receive system metadata requests must include separate items designed to cover this kind of data.
Since it is very unlikely that system metadata could contain privilege information that should not be a concern either.