Friday, September 03, 2010

Metadata – 21st Century Document Authentication

by Eric Robi

Signatures, faxes and paper are so 20th century

While there is still a need for handwriting analysis experts, modern document authentication techniques takes place primarily in the digital domain. Frequently a document such as a contract or letter of intent comes into question during litigation and we are asked to verify if it is authentic or fraudulent.

One of the first things computer forensic experts check during a document evaluation is metadata. Files such as Microsoft Word documents can contain hidden information known as metadata. Metadata is “data about the data.” If we were to use an analogy, if you were to investigate a homicide in which a gun was used, the metadata would be everything about the gun, including fingerprints on the handle and trigger, the type of bullet fired, the time and date it was fired, and the number of times it was fired. The metadata embedded in a Microsoft Word document might reveal: the creator name, company name, when the file was created, where the file was saved, total editing time and potentially much more. This list is not exhaustive, instead just offering a peek of what most document metadata contains. Any of these elements can be used to show a document is authentic or not.

Unexpected Metadata Revelations

If someone is surreptitiously trying to backdate a contract created in Microsoft Word, one thing they might do is set the clock back and then save the document with an earlier date. Taking a casual look at the computer, you might see Windows shows that the document was created or modified on the earlier date. However, a deeper inspection of the document itself might reveal that the metadata embedded in the document is inconsistent with the Windows time/date stamps. For example, Windows might show a Last Modified Date of Jan. 23, 2005 while the metadata embedded in the document itself might show a much later date and even a different author.

The document metadata can also reveal the total document editing time. When a document is intentionally backdated by setting the clock back and then resaving the document, the total editing time indicated can be unrealistically high, sometime showing that the document was edited for years. Since typical document editing time is measured in hours or days, when we see a document that has been edited for years we become understandably suspicious.

Metadata used in conjunction with other elements of computer forensics such as internet activity, examination of emails and Windows time/date stamps can be used to determine if a document is the real deal or a forgery.

Is The Document Worth The Paper It’s Printed On?

Recently we have looked at a number of agreements, and letters of intent that are provided to us on paper. If the authenticity of the document is questioned, somehow the electronic version of the document is almost always difficult to get access to. However, in those cases where we are able to examine the electronic version of the document, often a very different story emerges, illuminated by the bright light of metadata.

Visit Eric's website at

No comments: