Metadata is often described as data about data. But that doesn’t really say much. Metadata can mean a number of things to the forensic examiner: It can reveal details about a document’s author, help establish a timeline of events, or identify where a photo was taken. Above all else, metadata provides the forensic examiner with context about an electronic document.
Referring to metadata, the “Sedona Principles, Second Edition: Best Practices, Recommendations and Principles for Addressing Electronic Document Production” states “a large amount of electronically stored information, unlike paper, is associated with, or contains information that is not readily apparent on the screen view of the file.” Fraud examiners, often with the help of forensic examiners, must be thorough when examining documents to identify relevant metadata.
Metadata can come in two forms: application metadata and system metadata. Application metadata is typically embedded in the document, so it “moves” with the file when it’s copied or e-mailed. This form of metadata is generated as a function of an application used to create a file and instructs that application on how to display a document. The document actually stores, in varying degrees, information pertaining to the document’s “life cycle” – from its creation to its destruction.