respond-to-two-class-discussion-posts-on-digital-forensics

1) File metadata is essentially data attached to the file that summarizes pertinent information about that specific file. Some examples of file metadata may be author name, the date the file was created, the date that the file was last modified, and the size of the file. Different file types may contain different types of metadata. For example, picture files may contain EXIF metadata which contains the make/model of the camera used to take a picture, the digital photographic settings that the camera was using while taking the picture, and the geographic coordinates where the photograph was taken. Documents, on the other hand, may contain the author’s name, the amount of pages in the document, the name of the computer on which the document was created, and the name of the organization who the computer belongs to. File metadata can be utilized as identifying information of the origin or ownership of a file. This information could be invaluable to a computer forensics investigation.

One prolific example where file metadata played a massive role in apprehending a criminal is the case of the BTK killer, otherwise known as Dennis Rader. After years of silence, Dennis Rader decided he wanted to put himself back into headlines, so he contacted a local television station and police. He asked if he could communicate with them through files he put onto a floppy disk. Of course, the police obliged without mentioning that the files contained on the disk would contain metadata that could potentially track who the then-unknown BTK killer was. Without knowing this, Dennis Rader mailed a floppy to the police which contained a Word Document with his message. The police examined the metadata of the Word Document, which enabled them to trace it back to Dennis Rader and his church organization’s computers. This eventually lead to his arrest, and the solving of all the BTK killer’s murders.

2) A file signature is the hexadecimal mark on it that reveals the actual type of file it is when processed through a viewer. Specifically, it is the digital information inside its header/footer that describes the unique type of file application associated with it. [1] On cursory inspection if only relying on the displayed file extension the actual application can be missed without the use of other viewer tools. A file signature is important in computer forensics as it reveals the actual application used to read the file instead of relying on the visible file extension. Examples of common file signatures (type/hexadecimal) include Adobe PDF/25 50 44 45, MS Office 2007 document/50 4B 03 04 14 00 06 00, JPEG image/FF D8 FF, and GIF image/47 49 46 38 37 61. [1] To combat file signature analysis with computer forensics, file signature manipulation as an antiforensic method is employed with a hex editor to change the header/footer to a different electronic file type. [2] This is an example of the constant spy versus spy, method/counter-method of the world of forensics as new techniques are employed and antiforensics are developed. For instance, when a suspect changes the header to insert a hidden message then transfers it to another suspect with knowledge of how to change it back to read it, the counter is to examine the recent programs and files opened to view them by the suspect.