With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point to gaps in the data.
Gary Torgersen
When it comes to metadata as part of a litigation strategy, we mostly see it used as supporting information
about the data. It is unusual, but not unheard of, to see metadata used directly as evidence. When the data
is black and white, you don’t need to depend on metadata to make your case.
That is likely to change as more people understand the role metadata can have in developing legal
strategy. With proper forensic analysis, metadata can help highlight patterns, establish timelines, and point
to gaps in the data. Most importantly, metadata can connect data to a particular user, opening the door to
proving knowledge and intent.
For example, let’s say you have an employee, “Phil,” who supervises five other workers. One of the workers, “Sue,” files a claim for
prejudice. Metadata can show if Phil accessed or revised Sue’s files
more often than her colleagues’. While this by itself doesn’t prove
bias, it can help establish a pattern of behavior that can support bias.
Having a list of metadata in context can point to patterns of
fact-specific activities among individuals. A forensic specialist will
have the experience to do the common sense things that otherwise
might be overlooked, such as validating the time stamp on the
systems. He or she will usually submit one of two types of reports: a
factual report cataloging the data in context or an opinion-based
report, which requires the expert to form an opinion of the case
based on the evidence. In rare cases, the expert may be required to
testify.
If Phil claims not to have seen a particular file before a certain date, metadata can corroborate or
disprove that claim by showing when Phil first accessed the file or when that file first appeared on Phil’s
computer. That is the goal of forensic examination of metadata: associating the data with other pieces of
information—a user who accessed it, a file directory where it was stored, the last time it was copied, etc.—
all of which can be vital to a case.
Metadata can produce circumstantial evidence to support a case. You can look at how files were accessed, in what order, and by whom. For example, metadata could show that “Franklin” accessed a computer from 9 to 9: 20 a.m. It also could show that a flash drive was connected to Franklin’s computer at 9:12
a.m. Finally, it could show that certain files were accessed from an external device between 9: 15 a.m. to
9:45 a.m. Logically, we would suspect that those files
were copied to the flash drive by Franklin.
Just about any action you take with a file changes
some aspect of its metadata. Typical e-Discovery
filtering strategies such as deduplication and date
filtering would be more effective with a better understanding of how metadata affects these actions.
Think of a computer system as a library. The file system, the structure that allows for the identification
and location of files, is the card catalog. The catalog potentially contains metadata not available in the
Just about any action you take
with a file changes some aspect of its
metadata.