Much of the software we use on a daily basis contain features that allow individuals to hide data. For example, in Microsoft Word, a user can edit the Properties to insert an Author Name, Company, keywords, tag and a variety of other data. This is commonly referred to as metadata. If the document is then sent to another user, that user may also edit the document. As this process occurs, Microsoft Word will track the ownership of the document, date of creation, change control and more. This is additional metadata that is automatically added to the document. Many times, these documents are then sent outside of the organization or posted on a website. This presents a security concern because information about individuals and the company are now inadvertently exposed to individuals outside of the organization.

Metadata is structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use or manage an information resource. Metadata is often called data about data or information about information.

There are three main types of metadata: Descriptive, Structural and Administrative. Descriptive metadata describes a resource for purposes such as discovery and identification. It can include elements such as title, abstract, author and keywords. Structural metadata indicates how compound objects are put together, for example, how pages are ordered to form chapters in a book. Administrative metadata provides information to help manage a resource, such as when and how it was created, file type and other technical information, and who can access it.

It’s important to know that metadata can be embedded in a digital object or it can be stored separately. Metadata is often embedded in HTML documents and in the headers of image files. Storing metadata with the object is describes ensures the metadata will not be lost, which can lead to problems of linking between data and metadata and help to ensure that the metadata and object will be updated together.

Web pages also contain metadata typically in the form of meta tags. Description and keywords in meta tags are commonly used to describe the web page’s content. Most search engines use these meta tag data when adding pages to their search index.

Live System Analysis

Live system analysis is done before taking a system offline and is becoming a necessity because attacks might leave footprints only in running processes or RAM. Some malware disappears after a system is restarted. In addition, information in RAM is lost after you turn off a suspect computer. However, after you do a live acquisition, information on the system has changed because your actions affected RAM and running processes, which also means the information can’t be reproduced. Therefore, live acquisitions don’t follow typical forensics procedures. Data such as RAM and running processes might exist for only milliseconds, other data, such as files stored on the hard drive, might last for years.

Live acquisitions are becoming more necessary, and several tools are available for capturing RAM. A popular tool is BackTrack, now referred to as Kali Linux. Kali Linux is a Linux distribution designed for digital forensics and penetration testing. Kali Linux supports 32 and 64-bit images for use on hosts based on the x86 instruction set and as an image. Kali can be booted from a USB drive or CD and also bootable on a live system that is already running. This allows forensic investigators to perform their analysis on the live system without having to reboot the system.

Other parts of the live system analysis may include reviewing network logs. Network logs record traffic in and out of a network. Network servers, routers, firewalls, and other devices record the activities and events that pass through them. A common way of examining network traffic is running the Tcpdump program (, which can procedure hundreds or thousands of lines of records.

Computer Timeline Analysis

Reconstructing the crime scene, even from a digital aspect, is a scientific process. Evidence needs to be identified, collected and analyzed. Persons involved in the incident, including witnesses, need to be interviewed. Beyond the scientific method, investigators need to consider that creativity plays a large part in solving any crime and sometimes, that is the most difficult trait to teach.

As the amount of data information and digital evidence increases, visual representations become more helpful in seeing how events are tied to each other, dependent upon another and give investigative leads to more evidence. Timelines have most likely been used in legal cases since the beginning of legal cases. In the simplest description, a timeline is a chronological listing of events. The method of displaying timelines changes, whether a timeline is a document listing events in order or an electronic display of colors, symbols, charts, graphs, and videos.

Spreadsheets can be used to efficiently sort data in a meaningful manner based on selected criteria. Whether by date and time, type of event, or by file name, spreadsheets can display relevant information quickly. A timeline spreadsheet can contain extremely detailed information gathered from a forensic analysis such as event logs, registry files, and external devices. The use of a spreadsheet alone to create a timeline based on the suspect’s events solely on a forensic examining may not result in enough information to be useful. As any computer only shows the activity of any person that used the computer, additional circumstantial evidence needs to be added to the timeline spreadsheet.

Analyzing and looking at the activity as a whole also allows for a holistic view of the investigation where patterns of activity may be seen. Comparable to a physical crime scene, an electronic crime scene may be able to show the mindset and preparation of the suspect. Indications of wiped files, anonymous logins, and encryption could show a thorough manner of execution and planning by the suspect.

The biggest question we are faced with when it comes to hi-tech crimes is “who did it?” Skilled forensic analysts and investigators are great when they not only determine the computer user activity of a suspect, but also answer the basic investigative questions of who, what, when, where, why, and how. The answer to one question may only be derived by answering another. The answer to who committed the act may be derived by answering the question of why someone would commit the act. As important with every forensic analysis to determine what happened and how it happened, it is just as important to find other answers to determine who did it.


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment