Back to all articles

January 10, 2024 - 8 minutes

Metadata Forensics: Uncovering Hidden Truths in Digital Files

Discover how metadata helps with cybersecurity efforts.

Juliette Carreiro

Tech Writer

Articles by Juliette

Cybersecurity

Metadata will be one of these words that is tiptoeing into our daily vocabulary. This is mainly because of the exponential amount of data being generated and stored at every minute of every day. Did you know that the amount of existing data stored on the Internet doubles every two years (yikes! That's a lot of data!). How are we going to sort through all that? And avoid losing time, getting a few headaches, and completely erasing important data? Here is where the usefulness of metadata comes in. 

According to a report by IBM, metadata analysis can reduce the time needed to investigate a data breach by up to 50%, highlighting its critical role in cybersecurity.

Source: Cornerstone Discovery

What is Metadata Anyways?

To clarify, metadata is not to be mixed up with actual content; metadata is not the content itself. Instead, it describes the content of an object or piece of information

To put it simply, it’s "data about data" or "a set of data used to describe and represent an information object" or even "documentation that describes the stored data.” For example, an email has written content or "information" within it, yet the metadata would be the time it was sent, the sender, and the subject.

Metadata forensics involves analyzing the metadata embedded in digital files to uncover hidden information. For instance, examining the metadata of a digital photo can reveal the device it was taken with, the date, time, and even the GPS coordinates, which can be crucial in criminal investigations or verifying the authenticity of a document.

There are three different kinds of metadata that make the system complete and operable: descriptive, structural, and administrative. 

Photo by Immo Wegmann on Unsplash

Descriptive metadata

Descriptive metadata is basic information: who, what, when and where. Think of it as a description of a file or a piece of art with the plaque next to it; it’s there to help individuals know what they are looking at and the description changes depending on the contents of the object or information piece. 

Types of descriptive metadata include:

  • Time and date of creation

  • Program or processes used for the creation of the data

  • Purpose of the data

  • Creator or author of the data

  • Location on a device where the data was created

  • Technical standards used

  • File size

  • Data quality

  • Source of the data

  • Modifications or programs used to modify the file

Structural metadata

Structural metadata defines how the data should be categorized to fit into a more extensive system of other objects or information sets. Therefore, structural metadata represents what the fields mean, so there can be a relationship established between many files to organize them and use them accordingly. 

Administrative metadata

This is information about the history of the data or object, such as owners, rights, licenses and permissions, which is particularly helpful for information management. 

Word files, songs, videos and images, for example, all follow an information method regarding origins, creation and uses. 

What’s the Deal with Metadata?

One of the main problems with the exponential growth of data is how it is treated and stored. If the data isn't appropriately descriptive, it makes it significantly harder for users of that data to retrieve or recover it. Description elements need to be accurately representative so that current tools can efficiently and effectively find them for the user. 

Think about it: we have all been there and quickly saved a file without labeling it properly and then spent hours trying to find it–or maybe even never saw it again. It’s forever lost in the data abyss (oh the heartbreak!).

Experts studying description, search, and retrieval information point out that the best solutions to avoid this problem may be creating well-planned and designed metadata information systems tools for users. This would allow optimal information processing stored in computers to be exchanged over the networks, particularly for data available on the internet. Such a resource would mean that electronically stored data can be accessed and retrieved, regardless of format, such as text, image, sound, video, a web page, and more. 

This would help individuals find the exact information they are searching for–and avoid heartache or heartbreak!

Understanding Metadata Forensics

Now that we have briefed you on what metadata is and its various forms, are you ready to get your detective hat and magnifying glass out? Because there's an even more specific field of use: forensic metadata. Think of electronic evidence or the bread crumbs that lead to the main culprit or suspect; forensic metadata has the key to cracking a case in various investigations because vital information can be hidden in a tiny file and reveals something major.

Forensic metadata in use

Metadata allows digital or computer forensic investigators to understand the steps and history of an electronic file; these digital traces are fragile and need to be properly preserved. Think of it like real physical evidence at a crime scene and the level of care required to avoid cross-contamination, missed clues, or tampering with evidence. Metadata must be treated in the same way.

Here are examples of some metadata that may be of interest to a criminal investigation:

  • Recovering file names, their extensions, their respective creation, modification and access dates 

  • History of executions, failures, number of writes and reads of records

  • File creation, modification, and access information

  • Accessing all information stored within a document

  • Accessing hidden document information

  • Providing collaboration evidence 

Metadata even serves to help authenticate electronic evidence or help identify when evidence has been falsified or doctored. When carrying out an investigation, a professional needs very versatile tools that are fast and safe to use; these professionals include security nationals, computer experts, investigation companies and security departments in large companies or corporations. 

Photo by Immo Wegmann on Unsplash

Such tools will assist in facilitating tests and reports with a complete guarantee so when requesting strict access to these files, they already know that it is relevant to their case.

We like to take inspiration from Hany Farid, a forensic and computer scientist known as the “Sherlock Holmes of the Instagram era.” Journalists, courts, intelligence agencies, and the FBI come to him to sort real images from fake ones, as it's becoming increasingly difficult to tell the difference. He states that "the ability to manipulate digital content has accelerated." and this acceleration could present a real public threat as public figures can even fall victim to "deep fake" videos or photos. He is striving to carry out his work in many ways, using various new tools, but one initial clue that indicates that an image may have been falsified is the number of times the image has been saved or compressed. Therefore, metadata helps unlock insights into whether the image has been manipulated or not–and this is just the beginning.

As you can probably tell, cybersecurity is a huge topic with lots of ground to cover. If you wanna keep on learning more, check out our cybersecurity bootcamp, which you can take either in-person or online and choose from full-time or part-time options. 

The future of cybersecurity is incredibly bright, with new technologies introduced every day. Are you up for the challenge? 

How to Perform Metadata Forensics

  1. Select Tools: Choose suitable tools for metadata analysis such as ExifTool or Autopsy.

  2. Extract Metadata: Learn how to extract metadata from different file types.

  3. Analyze Data: Understand how to interpret metadata to uncover hidden information.

  4. Apply Findings: Use the findings in real-world applications such as cybersecurity audits or forensic investigations.

About the Author:

Juliette Carreiro is a tech writer, with two years of experience writing in-depth articles for Ironhack. Covering everything from career advice and navigating the job ladder, to the future impact of AI in the global tech space, Juliette is the go-to for Ironhack’s community of aspiring tech professionals.

Related Articles

Recommended for you

Ready to join?

More than 10,000 career changers and entrepreneurs launched their careers in the tech industry with Ironhack's bootcamps. Start your new career journey, and join the tech revolution!