Eliciting file relationships using metadata based associations for digital forensics

In the conventional system of analysis that is concerned with digital forensics, content is analyzed to describe the state of files in digital evidence and ascertain their relevance. Such content analysis is carried out using “searching”. When searching a file or for a file, use of keywords is the norm. When the exact words are not known, one may use regular expression search which uses a more flexible language for describing a set of keywords that fit a pattern. During analysis, there is also a need to identify all types of associations that exist between the files to answer the six fundamental questions of what, when, where, how, who and why. If the keywords and pattern have limited scope, an examiner often has very little to go on. Metadata contains information that represents the state of a file, even if partially. Besides, metadata based search is amenable to automation by virtue of the ubiquitous nature of metadata. During analysis, metadata can be used to ascertain the nature of digital photographs that were processed using software and identify digitally generated images that resemble original photographs. Metadata can also be used to identify word processing documents that were derived from other documents and stored as a duplicate or after modification in such a way that traditional techniques cannot detect. Often what is needed is the ability to identify section(s) of the evidence where relevant information appears to reside. Metadata based matches give rise to file relationships that encapsulate the event sequence among related files aiding in the discovery. This paper proposes a method to automatically identify associations among the files in digital evidence at the syntactic and semantic levels using metadata. We apply this method to identify metadata associations from collections of image files and word processing documents and elicit inter-file relationships for the purpose of identifying interesting or relevant files from large file collections in digital evidence. We demonstrate that the file relationships identified using metadata help in the identification of doctored photographs and copied documents.