When It Comes to Digital Investigations, It Matters.
Every app, every file, every digital thing created has associated metadata. It often sits in the background, sometimes it may be visible, sometimes not. It is the data that describes the data, and in the world of digital investigations, it is a critical component that provides context to digital evidence. But gathering and presenting metadata is not without its challenges. Let’s briefly examine the intricacies surrounding metadata.
As we type this article, it will receive a date time stamp related to the date it was published to the web. This is the “Create Date” metadata. Additionally, metadata will be generated that includes a “Title”, and if revised, a “Revision Date” or “Modified Date”. These all are fields that most digital article metadata vocabularies have in common.
If you dive deeper and you will uncover other metadata that is hidden “under the hood” so to speak. Things like this article’s author metadata, which would be designated as our organization “Tidal Change Technologies”. You also might find what are referred to as Open Graph meta tags. These are metadata vocabularies that help further describe the data to other websites, and include such items as “Image”, “Type”, “Keywords”, and “Abstract”, much like you would find in a library. (Remember those big buildings with books?)
All seem pretty common and straightforward, right? Sure, for a web-based article, pretty common. However, there are other data types that we leverage every day on the web that do not share the same vocabulary as an article. That is to say, a metadata field that exists for one data type may not be present in another data type.
While data is content, metadata is context. Metadata can be much more revealing than data, especially when collected in the aggregate.
To contrast, if we look up an address on our phone or computer the map application generates coordinates. These coordinates have a title, but we refer to that as the “Address”, but not all coordinates have an address. Additionally, these coordinates do not have an author, like that of an article, nor do they have an abstract.
The point being is that while each digital item we create generates metadata, the makeup of this metadata, or how it is described to a user (or another computer program), is often unique to the particular data type, yet common across that data type. This is a result of the Dublin Core Metadata Initiative.
The Dublin Core Metadata Initiative, or "DCMI", is an open organization supporting innovation in metadata design and best practices across the metadata ecology. The DCMI defines different levels of interoperability, which span four levels. We will let you explore those on your own which you can find here: http://dublincore.org/metadata-basics/
We recommend examining Levels 3 and 4, which are the standards to which data is evolving across the internet. At Level 3, applications are compatible with the Linked Data model (HTML5 follows this model). At Level 4, records exchanged among compliant data sources follow a common set of constraints, use the same vocabularies, and reflect a shared model of the world. For a great graphical representation of how Linked Data works, visit the Linked Data Open Cloud.
How does this impact investigations that leverage metadata? Investigative practices surrounding metadata vocabularies are still evolving. However, investigative applications, such as our own ESI Analyst, which base their logic on Linked Data and the Dublin Core will be able to adapt and innovate as these vocabularies are further adopted as standards across the industry. To quote Data and Goliath by Bruce Schneier, “While data is content, metadata is context. Metadata can be much more revealing than data, especially when collected in the aggregate.”
ESI Analyst delivers a metadata investigation platform that culminates in a concise timeline presentation of facts. Our platform matches metadata to specific actors using our proprietary actor profile matching technology, providing powerful context to digital investigations. Schedule a demonstration today to learn more.