adam's notes

Metadata

Metadata is information stored or recorded as a property of an object, state of a system, or transaction.

  • Each logged event has metadata
  • can establish timeline questions as well as containing other types of evidence
  • is the data about data found in almost any file
  • Can reveal not only mundane information but also more interesting data such as usernames, server names, network file paths, and deleted or updated information
  • File metadata provides data for searches, sorting, file processing, and more

EXIF Data

EXIF data is image and video file metadata.

  • Includes camera settings and hardware
  • View and edit EXIF data with ExifTool
  • Images from devices with GPS could include location coordinates

File Metadata

  • File metadata is stored as attributes:
    • security attribute
      • e.g., marking it as read-only or as a hidden or system file
    • permissions
      • ACL attached to a file showing its permissions
    • extended attributes
      • recording an author, copyright information, or tags for indexing/searching

Web Metadata

  • When a client requests a resource from a web server
    • server returns the resource plus headers setting or describing its properties
  • client can include headers in its request
  • key use of headers:
    • transmit authorization information in the form of cookies
  • Headers describing the type of data returned (text or binary, for instance) can also be of interest
  • contents of headers can be inspected using the standard tools built into web browsers
  • Header information may be logged by a web server

Email Metadata

Email internet header is a record of the email servers involved in transferring an email message from a sender to a recipient.

  • contains:
    • address information for the recipient and sender
    • details of the servers handling transmission of the message between them
  • When an email is created,
    • the mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA)
    • MDA should perform checks that the sender is authorized to issue messages from the domain
    • MDA adds or amends its own header and then transmits the message to a message transfer agent (MTA)
    • MTA routes the message to the recipient
      • with the message passing via one or more additional MTAs
        • e.g., SMTP servers operated by ISPs or mail security gateways
    • Each MTA adds information to the header
  • Headers aren’t exposed to the user by most email applications
    • view headers by via a message properties/options/source command
  • can parse email headers with Message Analyzer tool
    • will lay out the hops that the message took more clearly and break out the headers added by each MTA

Graph View

Backlinks