Metadata – 21st Century Document Authentication

Company News

August 24th, 2009

Document Authentication
Signatures, faxes and paper are so 20th century. While there is still a need for handwriting analysis experts, modern document authentication techniques takes place primarily in the digital domain. Frequently a document such as a contract or letter of intent comes into question during litigation and we are asked to verify if it is authentic or fraudulent.

Working in the world of bits and bytes, one of the first things we will check during a document evaluation is metadata. Files such as Microsoft Word documents can contain hidden information known as metadata. Metadata is “data about the data.” If we were to use an analogy, if you were to investigate a homicide in which a gun was used, the metadata would be everything about the gun, including fingerprints on the handle and trigger, the type of bullet fired, the time and date it was fired, and the number of times it was fired.

The metadata embedded in a Microsoft Word document might reveal: the creator name, company name, when the file was created, where the file was saved, total editing time and potentially much more. This list is not exhaustive, instead just offering a peek of what most document metadata contains. Any of these elements can be used to show a document is authentic or not.

Unexpected Metadata Revelations
If someone is surreptitiously trying to backdate a contract created in Microsoft Word, one thing they might do is set the clock back and then save the document with an earlier date. Taking a casual look at the computer, you might see Windows shows that the document was created or modified on the earlier date. However, a deeper inspection of the document itself might reveal that the metadata embedded in the document is inconsistent with the Windows time/date stamps.

For example, Windows might show a Last Modified Date of Jan. 23, 2005 while the metadata embedded in the document itself might show a much later date and even a different author. The document metadata can also reveal the total document editing time. When a document is intentionally backdated by setting the clock back and then resaving the document, the total editing time indicated can be unrealistically high, sometime showing that the document was edited for years. Since typical document editing time is measured in hours or days, when we see a document that has been edited for years we become understandably suspicious.

Metadata used in conjunction with other elements of computer forensics such as internet activity, examination of emails and Windows time/date stamps can be used to determine if a document is the real deal or a forgery.

Is The Document Worth The Paper It’s Printed On?

Recently we have looked at a number of agreements, and letters of intent that are provided to us on paper. If the authenticity of the document is questioned, somehow the electronic version of the document is almost always difficult to get access to. However, in those cases where we are able to examine the electronic version of the document, often a very different story emerges, illuminated by the bright light of metadata.

« How To E-Discover Someone In the Age of Twitter

Using Keywords To Unlock Your Case »

Pirates Get a Taste of Microsoft COFEE. Microsoft’s Computer Online Forensic Evidence Extractor (COFEE) software, which helps law enforcement officials grab data from password protected or encrypted sources, has leaked.

Facebook Privacy Changes Draw Mixed Reviews. Facebook’s revamped privacy settings will push more user data onto the Internet and, in some cases, make privacy protection harder for Facebook users, digital civil liberties experts said.

Hackers Pillage Jailbroken iPhones. Hackers are plundering personal data from jailbroken iPhones using the tactic demonstrated last week by an Australian programmer’s self-described “prank,” researchers said today.

Social Networking Explodes and The Law Will Follow. Inevitably, we will see lawsuits where people allege that they have been defamed by false information about them posted on social networking pages.

Crafting a More Effective Keyword Search Despite the insight of Facciola, Grimm and Peck, lawyers still don’t know what to do when it comes to effective, defensible keyword search.

Police say hacker stole phone time from AT&T, others The investigation began in May 2007 following a tip-off from the FBI that a group of hackers based in the Philippines had violated the IT security of major international phone companies.

Don’t Mess With System Metadata. Sometimes a computer holds evidence, and sometimes a computer is evidence. It’s a distinction with a difference when deciding whether to act in ways that will stomp on data essential to computer forensic examination.

How Facebook mucks up office life. Managing a workforce is already a challenging job; now Facebook and other social networks raise a host of sticky new situations.

Linux group seeks to discredit Microsoft patents in TomTom case. A Linux group is hoping to discredit three Microsoft Corp. patents that were at the heart of the software vendor’s recent lawsuit against GPS device maker TomTom NV.

Laid-off workers as data thieves? A growing crime wave where laid-off workers exact vengeance on their former employers by walking out the door with sensitive customer data and other proprietary information.

As Jurors Turn to Web, Mistrials Are Popping Up. The use of BlackBerrys and iPhones by jurors gathering and sending out information about cases is wreaking havoc on trials around the country, upending deliberations and infuriating judges.

e-Discovery Rules - Interpreting ESI from Federal to State Courts. Is it email? Certainly, but what about the email stored on inaccessible backup tapes or legacy systems from 15 years ago? What about voicemail, instant messages or random access memory (RAM)?

Federal Forensics Group
5777 W. Century Blvd., Ste. 1015, Los Angeles, CA 90045 • 310.318.1073 direct 310.388.1523 fax

Home | Services | Process | Resources | Contact