Pages

Friday, 24 October 2014

Importance of metadata in appreciation of evidence


With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point to gaps in the data.
When it comes to metadata as part of a litigation strategy, we mostly see it used as supporting information about the data. It is unusual, but not unheard of, to see metadata used directly as evidence. When the data is black and white, you don’t need to depend on metadata to make your case.

That is likely to change as more people understand the role metadata can have in developing legal strategy. With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point to gaps in the data. Most importantly, metadata can connect data to a particular user, opening the door to proving knowledge and intent.




For example, let’s say you have an employee, “Phil,” who supervises five other workers. One of the workers, “Sue,” files a claim for prejudice. Metadata can show if Phil accessed or revised Sue’s files more often than her colleagues’. While this by itself doesn’t prove bias, it can help establish a pattern of behavior that can support bias.

Having a list of metadata in context can point to patterns of fact-specific activities among individuals. A forensic specialist will have the experience to do the common sense things that otherwise might be overlooked, such as validating the time stamp on the systems. He or she will usually submit one of two types of reports: a factual report cataloging the data in context or an opinion-based report, which requires the expert to form an opinion of the case based on the evidence. In rare cases, the expert may be required to testify.

If Phil claims not to have seen a particular file before a certain date, metadata can corroborate or disprove that claim by showing when Phil first accessed the file or when that file first appeared on Phil’s computer. That is the goal of forensic examination of metadata: associating the data with other pieces of information—a user who accessed it, a file directory where it was stored, the last time it was copied, etc.—all of which can be vital to a case.

Metadata can produce circumstantial evidence to support a case. You can look at how files were accessed, in what order, and by whom. For example, metadata could show that “Franklin” accessed a computer from 9 to 9:20 a.m. It also could show that a flash drive was connected to Franklin’s computer at 9:12 a.m. Finally, it could show that certain files were accessed from an external device between 9:15 a.m. to 9:45 a.m. Logically, we would suspect that those files were copied to the flash drive by Franklin.

Just about any action you take with a file changes some aspect of its metadata. Typical e-Discovery filtering strategies such as deduplication and date filtering would be more effective with a better understanding of how metadata affects these actions.

Think of a computer system as a library. The file system, the structure that allows for the identification and location of files, is the card catalog. The catalog potentially contains metadata not available in the book, such as who checked out the book, when they checked it out, and where the book is located.

The books (files), rows and shelves (drives and folders) represent the data area of the system. Each book you check out will have metadata about the book, such as author, title, and publishing date. It also has additional metadata through the card catalog record. The card catalog may contain valuable information that will not be found in the book itself.

Now suppose you have two libraries with some of the same books. If you applied an industry standard deduplication filter, you’ll choose one book to save and one to delete. When the duplicated book is removed from the library, so is the catalog entry.** This would cause you to lose the metadata associated with the deleted file. That may be of some significance to the case. At the very least it results in an incomplete picture.

Here’s another example: Phil and Franklin both have an identical list of names on their computer. Phil stores his list in a directory called “contacts.” Franklin stores his in a directory called “victims.” A deduplication filter might decide to keep Phil’s file and delete Franklin’s along with the metadata that shows in which directory Franklin’s file was stored. Without the context metadata provides, Franklin’s intent might never be discovered.

Date filtering is another popular tool used in e-Discovery to help limit the number of documents that need to be reviewed and produced, but it also has flaws. Let’s say Franklin creates a file on Jan. 15 and continues to work in that file until April 5. When he no longer needs the file (say April 7), he copies it to a company server and deletes the original from his computer.

In May, we get a search request for all documents created in the first quarter—Jan. 1 to March 31. Franklin’s document should be produced, but it won’t be. The copy on the server will show a creation date of April 7 (the date the file first appeared on the server). It will show a “date modified” of April 5, which is earlier than the “date created” (and indicates the file is a copy), that’s outside the parameters of the search. So Franklin’s potentially material document may be completely overlooked.

New strategies need to be developed to address these issues at the industry level. For now, the best way to deal with them is to be aware and to use experienced forensic analysts to collect your data and preserve your metadata. Some e-Discovery products are addressing this through new filtering strategies that retain and produce metadata even on duplicated files.

As we move forward, expect to see metadata play a larger role in litigation. The industry will address the flaws in filtering, and more litigators will understand what a powerful and useful tool analysis of metadata can be.

No comments:

Post a Comment