Importance of Metadata in Digital Forensics and eDiscovery

The Importance of Fully Understanding Metadata

If you’re a litigator and you’ve dealt with discovery, you’ve probably heard the term “metadata” associated with electronic evidence. But do you know what metadata is? And do you know the importance of metadata in eDiscovery and why you need it to fully understand and authenticate that evidence? Let’s take a look at what metadata is and why it’s important to your case.

What is Metadata?

Metadata is literally defined as “data about data”. It’s the information that is used to classify, organize, label and understand your electronic evidence, making sorting and searching for that evidence much easier.

We use metadata to organize electronic files (i.e., structural metadata, such as page numbers, chapters, etc.), to preserve and establish intellectual property right to electronic files (i.e., administrative metadata, such as a Creative Commons license) and to describe the electronic files themselves (i.e., descriptive metadata, such as title and author).

The importance of metadata in eDiscovery stems from the fact that it provides so much additional information about the evidence. Imagine reviewing a printout or image of an Excel workbook and not being able to see the formulas that have been used to calculate the numbers. Those formulas are key metadata necessary to fully understand those Excel workbooks.

Typical analysis of file metadata by a digital forensics computer expert tends to be used to help put together a timeline of events. How and when an individual interacts with a computer program to create, modify, print or copy documents can often be pivotal evidence when this information is considered with all other events that happened across a device. For instance, on an employee’s last few days of employment, it may be extremely important on how they interacted with the files on their work computer.

Three Examples of How Metadata Helps Authenticate Evidence

Metadata even serves to help authenticate electronic evidence or help identify when evidence has been falsified. Here are three examples of recent cases where metadata (or lack thereof) identified potentially questionable evidence:

• In this Title VII gender discrimination case, the defendant requested that the plaintiff provide her supporting materials “in electronic form in their native format”, but she produced only print copies and, after a second request for production, only one of her “four or five” cell phones. The defendants retained a forensic examiner to inspect and analyze the one phone that was produced, and he determined that many of the text exchanges for which the plaintiff provided printed versions had been fabricated.  At least 44 of the text messages that had been included in the print copies the plaintiff provided were actually located in the phone’s “unsent” folder and were interspersed with fragments of actual text conversations between the plaintiff and her supervisor.  Based on the evidence falsification determined by the forensic examiner, the Court granted a motion for terminating sanctions against the plaintiff.
• In a breach of contract case over the sale of farmland, the plaintiff produced TIFF formatted emails, but only after they had been forwarded from the subject computer to the office of the former attorney for the plaintiffs, rendering the metadata “wholly useless and irrelevant because it pertains to the forwarded versions of the emails to Plaintiffs’ counsel’s paralegal, not the original emails”. The defendants argued that metadata from the native versions of the emails was needed because some emails appeared to have been “whited out” in the plaintiffs’ versions, and new and different text had been inserted into Plaintiff’s versions in other cases.  In one example, the plaintiffs’ copy of an email stated that the defendant’s representative indicated when discussing a document related to the sale that “It’s Acceptable”, which did not appear in the version produced by the defendant.  The Court ordered the plaintiff to produce the native file versions of disputed documents.
• In a case involving claims against the NYPD and allegations of a warrantless search of the plaintiff’s home in August 2014, the plaintiff provided photographs that she claimed showed the condition of her apartment several days after the incident in September 2016. After conflicting testimony by the plaintiff as to who took the photos, the defendants requested the smartphones which the plaintiff claimed were used to take the photos. While the plaintiff’s counsel objected to that request, he agreed to produce the photographs’ native files, which included metadata.  When the defendants checked the photographs’ metadata, they learned that 67 of the 70 photographs had been taken in September 2016, two years after the incident and right before the plaintiff provided them to her counsel.  The case was dismissed.

Conclusion

Electronic evidence without metadata is, at best, incomplete and, at worst, could be tampered with or falsified. It’s important to understand metadata and work with a professional who can advise you on what metadata is important to your case. Don’t underestimate the importance of metadata in eDiscovery – the outcome of your case could depend on it!

Next time, we’ll provide examples of metadata for given file types. You won’t believe how much metadata is available regarding your electronic evidence!

For more information about Forensic Discovery’s Computer Forensics services, click here.