A monthly newsletter focused on real world issues and practical strategies for the investigation professional.

In This Issue:

	From the Investigator's Notebook: Master Metadata – Understand the Difference Between System and Application Metadata
	News & Events

From the Investigator's Notebook: Master Metadata – Understand the Difference Between
System and Application Metadata

Metadata has become increasingly important in e-discovery and investigations involving electronic information and computer conduct. Despite its overwhelming importance, significant confusion surrounding the various types of metadata continues to persist. This confusion can lead to improper metadata requests and a waste of valuable time and resources.

To begin with, it is important to note that all active files have two types of metadata – system and application. Both types of metadata provide information about other data; however, there are crucial distinctions between the two.

• System Metadata: System metadata is information that is recorded for a file that is specific to the machine or device upon which the file is located. The following are several important system metadata fields: file name, deleted/non-deleted, date/time created, date/time last modified, date/time last accessed and full path location (e.g. c:\documents\documentsandsettings\janedoe\relevantdocument). Some system metadata is copied with a file when it is moved from one location to another, but not all. For this reason, it is often easy for a computer user to alter system metadata by simply moving a file from one folder to another, or transferring it from one device to another (e.g. computer to USB drive).
• Application Metadata: Application metadata (commonly referred to as embedded data) is information embedded within a file that is about the file itself. The following are common application metadata fields: tracked changes, document author, document version and the "to," "from" and "subject" lines in an e-mail. The application metadata fields vary depending on the type of file in question; for example, a Corel^® WordPerfect^® document will have different fields than a Microsoft^® Word document and different versions of Microsoft Word files will also differ. Unlike system metadata, application metadata fields move with a file when it is copied, generally making it more difficult to alter than system metadata.

As metadata can be crucial to a case, it is regularly requested during discovery and sought during investigations. Rather than broadly requesting "all metadata," it is a best practice to distinguish between system and application metadata and to specify for which fields you are looking.

To support or defend a request for metadata, it is important to understand the manner in which system and application metadata is best used. System metadata is a helpful tool when reconstructing a chain of events. For example, if a file is copied from one machine to another, the "date created" field on the new machine is the date the file was last copied. This is because system metadata records information specific to the machine. However, the "date last modified" is a system metadata field that does not necessarily change during the copy. Therefore, a forensic investigator who notices that the "date created" post-dates the "date last modified" can determine that the file at issue was copied, rather than created on the date listed in the "date created" field. System metadata can also be very valuable in linking a computer user to a file. For example, if the dates and times associated with the file fall within a period when only one user logged into the computer, that user may be reasonably identified as the creator of the file.

Application metadata is useful in determining when a file has been altered, as the metadata often identifies changes that have been made to a file, such as tracked changes. Application metadata can also be helpful in identifying documents. For instance, a forensic investigator may be able to determine that a proprietary document is being used by a competitor through the use of unique embedded information, such as the original "author name" or "company name."

The bottom line is that there are various types of metadata. Be sure to understand the differences between the types of metadata as well as their usefulness to your case. The investigator or advocate who understands these key differences in metadata has taken the first steps towards utilizing it effectively and persuasively.

Special thanks to Special thanks to Chris Andrews, Kroll Ontrack computer forensics specialist, for his contribution in writing this article. Mr. Andrews is responsible for conducting sound computer forensic investigations and analysis and can be reached at candrews@krollontrack.com for questions or comments.

Back To Top

News & Events

Upcoming Web Seminar – "Crossing the E-Discovery Border: IT and Legal"
Please join Kroll Ontrack for the free webinar, "Crossing the E-Discovery Border: IT and Legal," which is scheduled for Thursday, April 23, 2009 at 12:00 p.m. CDT / 1:00 p.m. EDT.

This web seminar will discuss what your company can do to begin to bridge the gap between IT and Legal and create a more productive and efficient environment. Topics to be covered include tips for reaching across the aisle when:

• Creating and enforcing document retention policies;
• Creating e-discovery strategies;
• Issuing litigation holds; and
• Following best practices to avoid sanctions.

This seminar will be a live Internet broadcast. Seating is limited, so register today at www.krollontrack.com/webinar-042309/.

Enhanced E-Discovery Certification Course Propels Litigation Teams to New Heights
Given the current economic condition, corporate clients are being forced to cut back legal and IT budgets, while the threat of sanctions due to improper ESI handling continues to rise. Become e-discovery certified to prevent your firm or corporation from becoming the next headline. Kroll Ontrack's 2009 E-Discovery Certification Course is ideal for legal and technical professionals of all levels, especially in-house counsel, law firm attorneys, litigation support professionals, paralegals, IT staff, and members of the judiciary. Upon completion of this program, you will be able to make informed decisions regarding ESI, be prepared to negotiate at the meet and confer and understand the most current e-discovery law. For more information and to register for an upcoming course, visit www.krollontrack.com/certification-courses/.

Meet our representatives at the following events:

Visit www.krollontrack.com/upcoming-events/ for more information on these events and others.

Back To Top

We Request Your Input

This newsletter was written by Regina Jytyla, Kroll Ontrack staff attorney, with assistance from Kelly Kubacki and Meridith Socha, Kroll Ontrack law clerks. Ms. Jytyla can be contacted by writing to gjytyla@krollontrack.com.

For more information about e-discovery and computer forensics services, contact Kroll Ontrack at 800 347 6105 or www.krollontrack.com.