Metadata is data about data. Every file created on a digital device carries metadata that records when it was made, when it was last modified, what software created it, and sometimes where it was created.

Most users never see this information. Forensic examiners always look at it.

Types of Forensic Metadata

File system metadata: Maintained by the OS file system. Includes:

  • Created date/time
  • Last modified date/time
  • Last accessed date/time
  • File size
  • File path and name
  • Owner and permissions (Unix/NTFS)

    • On NTFS (Windows), the $MFT (Master File Table) contains detailed metadata for every file, including a separate “file entry modified” timestamp. Windows also maintains a $LogFile and $UsnJrnl that track file system changes over time.

    Application-level metadata: Embedded by the creating application inside the file itself.

    EXIF Metadata in Photos
    Each evidence source provides a different perspective on digital activity, strengthening forensic conclusions when correlated.

    EXIF Metadata in Photos

    EXIF (Exchangeable Image File Format) data is embedded in JPEG, TIFF, and some other image formats. A typical smartphone photo contains:

  • GPS coordinates: Precise latitude, longitude, and altitude (if location permissions granted)
  • Timestamp: Date and time the photo was taken
  • Camera make and model: Specific device model
  • Lens and exposure settings: Aperture, shutter speed, ISO, focal length
  • Software: OS version and camera app version
  • Orientation: How the phone was held

    • GPS coordinates in EXIF data have placed suspects at crime scenes, identified locations of covert meetings, and corroborated or contradicted alibi claims. The coordinates are typically accurate to within 10–15 meters for devices with clear sky visibility.

    EXIF stripping: Many platforms (Facebook, Twitter/X, WhatsApp) strip EXIF data from uploaded photos before storage. A photo downloaded from social media usually has no EXIF. A photo extracted directly from a device retains full EXIF.

    Office Document Metadata

    Microsoft Office files (Word, Excel, PowerPoint) store metadata in the document’s properties. This includes:

  • Author: The name registered in Microsoft Office settings when the document was created
  • Last modified by: The account name of the last person to save the document
  • Created date: When the document was first saved
  • Modified date: Last save timestamp
  • Total editing time: Total minutes the document was open in edit mode
  • Company: Company name from Office settings
  • Document revision history: Earlier versions may be recoverable from the file’s internal structure
  • Track changes: If Track Changes was enabled, edits with timestamps and user names are embedded

    • Office metadata has been used to disprove document forgery — a document supposedly created in 2020 showing an author name of software registered to a 2023 installation raises obvious authenticity questions.

    Revision history in .docx: DOCX is a ZIP file containing XML. The `word/document.xml` file contains the current content. Some DOCXs retain revision markup that can reveal deleted text.

    PDF Metadata
    Forensic analysis requires systematic documentation and cross-referencing of multiple artifact sources.

    PDF Metadata

    PDF files contain a metadata dictionary with:

  • Title, Author, Subject, Creator application, Producer (PDF renderer)
  • Creation date and modification date
  • Document history (if tracked)
  • XMP metadata (Extended Metadata Platform — an Adobe standard)

    • PDFs also can contain JavaScript, embedded files, and hidden layers that forensic examiners examine for malware or evidence of document manipulation.

    Detecting Timestamp Manipulation

    File system timestamps can be modified by specialized tools. Several indicators suggest timestamp tampering:

  • $MFT timestamps inconsistent with $LogFile entries: Windows keeps multiple timestamp records. Modifying one doesn’t automatically update all of them.
  • Timestamps before the file format existed: A file claiming to be a DOCX from 2002 (DOCX format launched in 2007) is suspicious.
  • Application metadata timestamps inconsistent with file system timestamps: EXIF timestamp saying June 1, file system saying June 15.
  • $UsnJrnl entries: The Windows Update Sequence Number Journal records file changes with timestamps that are harder to modify.

    • Timestomping — deliberately modifying timestamps to obscure activity — is detectable by experienced examiners who cross-reference multiple timestamp sources.

    FAQ: Metadata Forensics

    Q: Can someone remove GPS coordinates from photos before sending them?
    A: Yes. Users can strip EXIF data manually with tools or via settings. iOS and Android both offer options to strip location from shared photos. Many messaging platforms do this automatically. But the original on-device photo retains EXIF, and forensic extraction of the device retrieves the original.

    Q: If a file’s “created” date is earlier than its “modified” date, is that suspicious?
    A: Not by itself. Many workflows create a file, modify it, then copy it — which can produce a modified date earlier than the file system’s created date. It’s the combination of inconsistencies, not any single anomaly, that indicates manipulation.

    Q: Can I tell which printer printed a document from metadata?
    A: Not typically from document metadata alone. However, laser printers embed invisible machine identification codes (yellow dots) in printed pages that encode the printer’s serial number and print date. This forensic technique is different from metadata extraction.

    Q: Does a factory reset make data unrecoverable?
    A: On modern devices with hardware encryption, a factory reset destroys the encryption keys, making data practically unrecoverable. On older devices, some data may survive in unallocated storage sectors.

    Q: How should a device be handled between seizure and examination?
    A: Place it in a Faraday bag, keep it charged, enable airplane mode if accessible, and document its state at seizure. Avoid powering it off if it is already on.

    Case Example

    In a civil dispute, one party alleged digital evidence had been altered after a preservation obligation arose. The forensic examiner compared file system metadata against the litigation timeline and found several files modified after the preservation letter was received. A system cleanup utility had been run during the same period. The examiner documented the specific artifacts indicating post-preservation modifications, distinguishing between routine system operations and deliberate user actions, providing the court with a factual basis for evaluating the spoliation claim.

    Practitioner Takeaways

    See also: Iphone Extraction Forensics | Android Adb Logical Extraction Guide | Gmail Ios App Local Cache Extraction

    Need Professional Digital Forensics?

    Octo Digital Forensics provides expert mobile forensics, data recovery, and digital investigation services for attorneys, insurance companies, and private investigators. Court-admissible reports. Certified examiners.

    Contact: octodf.com | info@derickdowns.com | (858) 692-3306