Part 6 of 7
0%
Part 6 Module 2: Digital Evidence & Forensics

Metadata Analysis

📖Reading Time: 20-25 min
📷EXIF Data
🕐Timestamp Analysis

What is Metadata?

Metadata is "data about data" - information that describes the characteristics of a file but is separate from its visible content. In digital forensics, metadata can be more valuable than the content itself, often revealing when, where, how, and by whom a file was created or modified.

💡Forensic Value of Metadata

Metadata can establish timelines, prove authorship, reveal hidden information, detect tampering, and connect devices/locations to criminal activity - often without the creator's knowledge that such information was being recorded.

Types of Metadata

📄

File System Metadata

Created/Modified/Accessed timestamps, file size, permissions, owner, path. Stored by the operating system.

📷

EXIF Data (Images)

Camera make/model, GPS coordinates, date/time, exposure settings, thumbnail images. Embedded in JPEG, TIFF, RAW files.

📝

Document Metadata

Author name, company, revision history, comments, tracked changes, print history. In Word, PDF, Excel files.

📨

Email Headers

Sender/recipient IPs, mail servers, timestamps, message routing path, authentication results.

EXIF Data Analysis

EXIF (Exchangeable Image File Format) data is embedded in photos by cameras and smartphones. It can contain dozens of fields with forensically valuable information.

Sample EXIF Data from a Smartphone Photo

Camera Make
Samsung
Camera Model
SM-G998B
Date/Time Original
2026:01:15 14:32:18
GPS Latitude
19.0760 N
GPS Longitude
72.8777 E
Software
G998BXXS5CVK1

Key EXIF Fields for Forensics

FieldForensic Significance
GPS CoordinatesProves location where photo was taken
DateTimeOriginalWhen photo was actually captured (camera time)
Make/ModelIdentifies the device used
SerialNumberUnique device identifier
SoftwareIndicates editing or device firmware
ThumbnailMay contain original image before editing
GPS Privacy Warning

Many people unknowingly share their location when posting photos online. EXIF GPS data from photos shared by suspects can reveal homes, workplaces, and movement patterns.

Document Metadata

Office documents (Word, Excel, PDF) contain rich metadata that can reveal authorship and editing history.

Microsoft Office Metadata

  • Author: Username who created the document
  • Last Modified By: User who last saved the document
  • Company: Organization name from software registration
  • Revision Number: Number of times saved
  • Total Editing Time: Time spent with document open
  • Track Changes/Comments: May contain sensitive deleted text
# Example: Extracting metadata with exiftool
exiftool document.docx

File Name                       : document.docx
Author                          : John Smith
Last Modified By                : Jane Doe
Create Date                     : 2026:01:10 09:15:22
Modify Date                     : 2026:01:14 16:45:33
Revision Number                 : 12
Total Edit Time                 : 4.5 hours
Company                         : ACME Corporation
Application                     : Microsoft Office Word

Timestamp Analysis

Timestamps are critical in establishing timelines and detecting evidence tampering. Different systems use different timestamp formats and reference points.

Common Timestamp Formats

SystemFormatEpoch
Unix/LinuxSeconds since epochJan 1, 1970 UTC
Windows FILETIME100-nanosecond intervalsJan 1, 1601 UTC
Mac HFS+Seconds since epochJan 1, 1904 Local
FATDOS date/time formatJan 1, 1980 Local

MAC Times

Most file systems track three timestamps known as MAC times:

  • M - Modified: When file content was last changed
  • A - Accessed: When file was last read (often disabled)
  • C - Changed (Unix) / Created (Windows): Metadata change or creation time
Timeline Analysis Tip

Create a timeline of all timestamps from multiple sources. Inconsistencies (like a file modified before it was created) may indicate evidence tampering or timezone issues.

Anti-Forensics Detection

Suspects may attempt to modify or remove metadata to hide evidence. Knowing anti-forensics techniques helps detect tampering.

Common Anti-Forensics Techniques

  • Metadata Stripping: Removing EXIF data from images before sharing
  • Timestamp Modification: Using tools to change file timestamps
  • Document Sanitization: Removing tracked changes and comments
  • Re-saving Files: Copying content to new file to reset metadata

Detection Indicators

  • Missing expected metadata fields (stripped EXIF)
  • Timestamp inconsistencies across related files
  • Modified time earlier than created time
  • Uniform timestamps across many files (bulk modification)
  • Metadata that doesn't match file content (wrong camera model for image quality)
📝

Practical Exercise 6.1

Metadata Extraction

Task: Take a photo with your smartphone and extract its EXIF data.

  1. Take a photo with location services enabled
  2. Use an online EXIF viewer or exiftool to extract metadata
  3. Document: Camera model, GPS coordinates, timestamp, software version
  4. Consider: What could an investigator learn about you from this photo?
  5. Bonus: Strip the EXIF data and compare before/after

🎯 Key Takeaways

  • Metadata is "data about data" that often reveals more than content itself
  • EXIF data from photos can reveal device, location, and time of capture
  • Document metadata contains author information, editing history, and more
  • Timestamp analysis is crucial for establishing timelines and detecting tampering
  • Be aware of anti-forensics techniques and how to detect metadata manipulation

Finished studying this part?

PreviousFile Systems & Data Recovery Next PartEvidence Documentation & Reporting