Metadata Analysis

Home /  Handbook /  Metadata Analysis

Chapter 3:Computer Forensics

Metadata Analysis

When defending child pornography cases, it is essential to understand the role of metadata in order to understand the evidence of the case and explain it to the jury. Metadata is commonly described as “data about data,” and is defined as “secondary data that organize, manage, and facilitate the use and understanding of primary data.”[1] It attaches to electronically stored information. In other words, metadata is the underlying data that is attached to a file that provides identifying information about the file. It includes information about when the file was produced, when it was last modified, the type of device used to create it, the brand or model of the camera used to create it, and the program or firmware used to create it.

Metadata analysis requires expertise and specialized software. If a case involves metadata, it might be useful to hire a computer forensics expert witness. When collecting metadata, keeping the original source of the data will present the cleanest information forensically. Otherwise, doubt can be cast on the evidence at trial. Metadata can be helpful in recovering file names and their modification and access dates, the information stored within a document or file, hidden document information, and a history of the number of writes/reads of records.

EXIF data is a format of metadata attached to a video or digital image file. EXIF-metadata cannot identify a specific unique camera or the serial number of a camera.[2] A computer forensics expert may be able to use this information to support the claim that an image was computer-generated or altered. Metadata can yield a large amount of information about an image’s origin and alteration.[3]

Metadata can also reveal where images had been previously stored on a computer, or what they had previously been named.[4] It may also reveal information about who was responsible for the creation or modification of electronically sourced information. It can also establish when the file was accessed and how frequently it was opened. Intent to access child pornography is typically demonstrated through a digital forensics examination of the defendant’s electronic devices and material’s metadata. For example, if a file was previously named with a common child pornography search term, was located in a folder with a name indicating child pornography, was not just downloaded but also actively moved, was opened or was opened multiple times, the government could argue that there was knowledge or intent. On the other hand, the defense expert may be able to determine if the download was unintentional by looking at the original file name, whether the file was ever opened, and whether the user tried to delete the file. Peer to Peer (P2P) programs are designed so that a user may accidentally download child pornography unintentionally, and an expert can analyze the metadata to help establish whether or not this was the case.

While the government must allow the defense to access the metadata of the material, they are not compelled to also provide their interpretation or analysis of the metadata.[5]

The government may obtain a search warrant to search for metadata. The affidavit for a warrant must establish probable cause to search for the metadata. However, if the metadata was made public on the Internet when the defendant uploaded the material, a district court found that the defendant does not have a Fourth Amendment privacy interest in the data dn the government may use the data for search purposes.[6] Law enforcement may use software such as EnCase or Cellbrite to search electronic devices.

It is possible to make it appear as though files were created at different dates and times, but metadata from the original source will likely reveal the history of changes. However, metadata is not foolproof. For example, if someone were to make a copy of a file, the metadata would show a created date of when the copy was made, and not that of the original file. Missing metadata can also be considered evidence, as it could indicate that a file may have been tampered with.

For an expert to testify about metadata, the testimony must conform with Rules 702 and 703.[7]

[1] United States v. Haymond, 672 F.3d 948, 953 (10th Cir. 2012); Black’s Law Dictionary 1080 (9th ed.2009)

[2] United States v. Hager, 710 F.3d 830, 832 (8th Cir. 2013)

[3] King, D. (2004). Methods of Proof: The ‘Real Child’ Issue in Child Pornography Cases. American Prosecutors Research Institute, 1(2).

[4] United States v. Powers, 364 F. App’x 979, 981 (6th Cir. 2010) (Unpublished)

[5] 18 U.S.C. § 3509(m)(1); United States v. Gutierrez, 625 F. App’x 888, 891 (10th Cir. 2015)

[6] United States v. Post, 997 F. Supp. 2d 602, 606 (S.D. Tex. 2014)

[7] United States v. Duggar, 76 F.4th 788, 795 (8th Cir. 2023)


Request Your Consultation

Fields Marked With An “*” Are Required

"*" indicates required fields

I Have Read The Disclaimer*
This field is for validation purposes and should be left unchanged.