Saturday, December 08, 2007

2007-12-08 Metadata Revisited - What's In That JPG? --- Relevant Evidence.

For those in the "most metadata is irrelevant" camp, I offer this argument in support of my position that metadata is critical to electronic evidence authentication: The metadata contained in most digital photographs can reveal camera ID, camera type, shutter speed, or aperture setting together with the more visible time and date notations. If someone accuses someone as having taken a certain photograph, it might be helpful to ascertain this information *(through discovery, of course) and then argue that the accused:

1. Owned or did not own the type of camera used to take the photo
2. The camera had or lacked the capability to take photos at the listed aperture, shutter or ISO setting
3. The camera had or lacked the capability to take photos at the claimed resolution.

The underlying metadata reliability argument quite readily exposes the gaping holes in the "most metadata is irrelevant" argument, as one might argue that the metadata showing these attributes (including the time and date source, and time and date notation) was unprotected, and subject to the same type of manipulation as is all other unprotected digital data, and is therefore unreliable. One might also present (and this is really the more difficult argument) that the metadata was generated and maintained in such a fashion as to be authentic and reliable. In other words, the metadata, like the photo itself, is what it purports to be at the time relevance attached to it.
2007-12-08 eDiscovery Question - Do You Know the Way to ADS (Alternate Data Streams)?

Engineered into Windows since NT 3.1 (circa 1993) Alternate Data Streams was developed by Microsoft to allow for better compatibility with HFS (Mac) file systems. When creating any NTFS file or folder, a separate data stream (sometimes known as a "fork") can be also created for that file or folder. Data stored in an NTFS stream becomes invisible to Windows Explorer, text searches, and most other Windows' routine file apps. One may then store a 5Gb .zip file inside the streamed 20k text file. Windows Explorer and most other apps will then only detect the 20k text file, and not the 5GB streamed .zip file. So, one can use ADS to hide data within other data or folders.

Interestingly enough, ADS will be stripped from a file if the file is emailed as an attachment, or if it is copied to a FAT 32 drive (such as a thumb or flash drive), a CD/RW or other non-NTFS file, the ADS will be stripped from the copy.

There are numerous detection, and some removal tools available. ADS Spy is an exampled of a freeware detection and removal tool: http://www.bleepingcomputer.com/files/adsspy.php Good forensics tools such as enCase, SleuthKit, SMART, and others provide capability to detect ADS where a the forensically extracted copy is also an NTFS based filed.

Keep in mind:

1. Search for ADS.
2. ADS may contain discoverable information.
3. ADS may bear obscure non-relevant seeming names.
4. ADS may be encrypted.
5. ADS will be stripped when file is converted/copied to non-NTFS.
6. Ask for presence of and/or have examiner search for common ADS removal tools
7. Vista has a native ADS detection tool. From command prompt, type "dir /r"