Download Free Article

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts
no text concepts found
Transcript 
Using Metadata in Litigation
With proper forensic analysis, metadata can help highlight patterns, establish
timelines, and point to gaps in the data.
Andy Spore
When it comes to metadata as part of a litigation strategy, we mostly see it used as supporting information
about the data. It is unusual, but not unheard of, to see metadata used directly as evidence. When the data is
black and white, you don’t need to depend on metadata to make your case.
That is likely to change as more people understand the role metadata can have in developing legal strategy.
With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point to gaps
in the data. Most importantly, metadata can connect data to a particular user, opening the door to proving
knowledge and intent.
For example, let’s say you have an employee, “Phil,” who
supervises five other workers. One of the workers, “Sue,” files
a claim for prejudice. Metadata can show if Phil accessed or
revised Sue’s files more often than her colleagues’. While this
by itself doesn’t prove bias, it can help establish a pattern of
behavior that can support bias.
Having a list of metadata in context can point to patterns of
fact-specific activities among individuals. A forensic specialist
will have the experience to do the common sense things that
otherwise might be overlooked, such as validating the time
stamp on the systems. He or she will usually submit one of two
types of reports: a factual report cataloging the data in context
or an opinion-based report, which requires the expert to form
an opinion of the case based on the evidence. In rare cases, the
expert may be required to testify.
If Phil claims not to have seen a particular file before a certain date, metadata can corroborate or disprove
that claim by showing when Phil first accessed the file or when that file first appeared on Phil’s computer. That
is the goal of forensic examination of metadata: associating the data with other pieces of information—a user
who accessed it, a file directory where it was stored, the last time it was copied, etc.—all of which can be vital
to a case.
Metadata can produce circumstantial evidence to support a case. You can look at how files were accessed,
in what order, and by whom. For example, metadata could show that “Franklin” accessed a computer from 9
to 9:20 a.m. It also could show that a flash drive was connected to Franklin’s computer at 9:12 a.m. Finally, it
could show that certain files were accessed from an external device between 9:15 a.m. to 9:45 a.m. Logically,
we would suspect that those files were copied to the
flash drive by Franklin.
Just about any action you take with a file changes
Just about any action you take
some aspect of its metadata. Typical e-Discovery
with a file changes some aspect of its
filtering strategies such as deduplication and date
filtering would be more effective with a better
metadata.
understanding of how metadata affects these actions.
Think of a computer system as a library. The file
system, the structure that allows for the identification and location of files, is the card catalog. The catalog
potentially contains metadata not available in the book, such as who checked out the book, when they
12 www.DFInews.com
FALL 2014
checked it out, and where the book is located.
The books (files), rows and shelves (drives and
folders) represent the data area of the system. Each
book you check out will have metadata about the book,
such as author, title, and publishing date. It also has
additional metadata through the card catalog record.
The card catalog may contain valuable information that
will not be found in the book itself.
Now suppose you have two libraries with some of
the same books. If you applied an industry standard
deduplication filter, you’ll choose one book to save and
one to delete. When the duplicated book is removed
from the library, so is the catalog entry.** This would
cause you to lose the metadata associated with the
deleted file. That may be of some significance to
the case. At the very least it results in an incomplete
picture.
Here’s another example: Phil and Franklin both have
As we move forward, expect to
see metadata play a larger role in
litigation.
an identical list of names on their computer. Phil stores
his list in a directory called “contacts.” Franklin stores
his in a directory called “victims.” A deduplication filter
might decide to keep Phil’s file and delete Franklin’s
along with the metadata that shows in which directory
Franklin’s file was stored. Without the context metadata
provides, Franklin’s intent might never be discovered.
Date filtering is another popular tool used in
e-Discovery to help limit the number of documents
that need to be reviewed and produced, but it also has
flaws. Let’s say Franklin creates a file on Jan. 15 and
FALL 2014
continues to work in that file until April 5. When he
no longer needs the file (say April 7), he copies it to
a company server and deletes the original from his
computer.
In May, we get a search request for all documents
created in the first quarter—Jan. 1 to March 31.
Franklin’s document should be produced, but it won’t
be. The copy on the server will show a creation date of
April 7 (the date the file first appeared on the server). It
will show a “date modified” of April 5, which is earlier
than the “date created” (and indicates the file is a copy),
that’s outside the parameters of the search. So Franklin’s
potentially material document may be completely
overlooked.
New strategies need to be developed to address these
issues at the industry level. For now, the best way to
deal with them is to be aware and to use experienced
forensic analysts to collect your data and preserve your
metadata. Some e-Discovery products are addressing
this through new filtering strategies that retain and
produce metadata even on duplicated files.
As we move forward, expect to see metadata play a
larger role in litigation. The industry will address the
flaws in filtering, and more litigators will understand
what a powerful and useful tool analysis of metadata
can be.
**When data is deleted, it is not actually removed.
This example is simplified in an effort to help readers
understand metadata.
Andy Spore is a digital forensic analyst
at DSi. He is a Certified Computer
Examiner (CCE)) and EnCase Certified
Examiner (EnCE). He has more than
six years of experience in forensic data
collections and forensic examination. info@
dsicovery.com; www.DSicovery.com
www.DFInews.com 13
Related documents
Metadata - Media Arts and Technology
Metadata - Media Arts and Technology
Document
Document
Roge Oliveira
Roge Oliveira
Document
Document
Slide 1 - Indico
Slide 1 - Indico
imaging_presentation
imaging_presentation
Transformation of Digital Libraries: From Information
Transformation of Digital Libraries: From Information
databases_mis
databases_mis
Extract, Transform and Load
Extract, Transform and Load
Best Web Practices overview for writing web
Best Web Practices overview for writing web