What is metadata?

An excellent detailed article “Understanding Metadata” written by Craig Ball gives profound description of metadata in MS Office documents and explains two descriptive categories of metadata – system metadata and application data.

According to the article, metadata isn’t merely “evidence, typically stored electronically, that describes the characteristics, origins, usage and validity of other electronic evidence”, but rather “the electronic equivalent of DNA, ballistics and fingerprint evidence, with a comparable power to exonerate and incriminate”. Metadata sheds light on the context, authenticity, reliability and dissemination of electronic evidence, as well as providing clues to human behavior.

Almost every active file stored on your computer has some associated metadata. Some metadata may be considered crucial evidence; some is digital clutter. Understanding the different forms metadata takes and the evidentiary significance it holds is fast becoming an essential lawyer skill.

There are two principal strains of metadata: application and system… Application metadata is information typically absent from the printed page and embedded in the file it describes, moving with the file when you copy it. It has a fearsome reputation among lawyers because of its nasty habit of carrying sensitive information, such as deleted text, and who else has seen the document — but it’s that very capacity for holding more than meets the eye that enhances its evidentiary value.
By contrast, system metadata isn’t embedded in the file it describes, but stored externally and used by the computer’s file system to track file locations and store demographics. A file’s name, size, location, path and dates of creation, modification and access are common system metadata fields.

Having both application and system metadata is advantageous because, when metadata is stored both within and outside a file, discrepancies can expose data tampering. There are at least 80 accessible application and system metadata fields tracked for each Microsoft Office document, not including tracked changes, comments and Registry data.

However, electronic evidence lives in an environment that defines it. When metadata from one environment moves to another, it can change in ways such that you can’t assess absent metadata and metametadata from the host system.

Metadata is both evidence and a key to validating and understanding other evidence. Either way, it’s discoverable when potentially relevant.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. With FindProtected, you can easily identify protected files and relocate them if necessary.

Leave a Reply