FALL 2014 www.DFInews.com 13
book, such as who checked out the book, when
they checked it out, and where the book is located.
The books (files), rows and shelves (drives and
folders) represent the data area of the system. Each
book you check out will have metadata about the
book, such as author, title, and publishing date.
It also has additional metadata through the card
catalog record. The card catalog may contain
valuable information that will not be found in the
Now suppose you have two libraries with some of
the same books. If you applied an industry standard
deduplication filter, you’ll choose one book to save
and one to delete. When the duplicated book is
removed from the library, so is the catalog entry.**
This would cause you to lose the metadata associated with the deleted file. That may be of some
significance to the case. At the very least it results
in an incomplete picture.
Here’s another example: Phil and Franklin both
have an identical list of names on their computer.
Phil stores his list in a directory called “contacts.”
Franklin stores his in a directory called “victims.” A
deduplication filter might decide to keep Phil’s file
and delete Franklin’s along with the metadata that
shows in which directory Franklin’s file was stored.
Without the context metadata provides, Franklin’s
intent might never be discovered.
Date filtering is another popular tool used in
e-Discovery to help limit the number of documents
that need to be reviewed and produced, but it also
has flaws. Let’s say Franklin creates a file on Jan.
15 and continues to work in that file until April
5. When he no longer needs the file (say April 7),
he copies it to a company server and deletes the
original from his computer.
In May, we get a search request for all documents
created in the first quarter—Jan. 1 to March 31.
Franklin’s document should be produced, but it
won’t be. The copy on the server will show a creation date of April 7 (the date the file first appeared
on the server). It will show a “date modified” of
April 5, which is earlier than the “date created”
(and indicates the file is a copy), that’s outside the
parameters of the search. So Franklin’s potentially
material document may be completely overlooked.
New strategies need to be developed to address
these issues at the industry level. For now, the best
way to deal with them is to be aware and to use
experienced forensic analysts to collect your data
and preserve your metadata. Some e-Discovery
products are addressing this through new filtering
strategies that retain and produce metadata even on
As we move forward, expect to see metadata play
a larger role in litigation. The industry will address
the flaws in filtering, and more litigators will understand what a powerful and useful tool analysis of
metadata can be.
**When data is deleted, it is not actually removed. This example is simplified in an effort to
help readers understand metadata.
Gary Torgersen is Vice President of Technology at
DSi. A Certified Computer Examiner (CCE) and
member of the International Society of Computer
Forensics Examiners (ISCFE), he has worked on hundreds of digital forensics and e-Discovery cases.
As we move forward, expect to see
metadata play a larger role in