Tampering and Vulnerability of File Metadata

-


Tampering and Vulnerability of File Metadata
Hendratna Mutaqin

Abstract

There are several ways to make the evidence valid and useful to prove the allegation, particularly in crime. One of the technique to ensure, particularly electronic evidence, is looking for its metadata. Metadata gives basic information of the data. However, sharing a file with the other parties makes hard to ensure the file’s validity. Someone can alter the file metadata and create a file then change its metadata to give false evidence. The various anti-forensic software has a function to remove and edit metadata to create a deceitful evidence.

Introduction
Computer operating system can display basic information of file comprise of a file's modified, accessed and created dates. In Windows, by right-clicking on file and then left clicking on the properties option, it can provide file metadata. However, Doug (n.d.) explains that it can become inaccurate because of anti-forensic software programs like SitefileDate, BulkFile, and A PDF. Someone can also alter every metadata field of JPG and TIFF images by using a software application like AnalogExif. The investigator has to know how to differentiate between authentic file and fake file. Unfortunately, the perpetrator has also been enhancing their method to commit a crime. They use many techniques to conceal their crime activities. Therefore, Police or other law enforcement agency should be aware that a crime is happening, already happen, or will happen. Computer forensic could be the answer to handling it.

Computer forensic is one of the well-known methods used by law enforcement agency or companies investigator to collect the evidence. There are several steps to conduct computer forensic. Starting with creating an image file (ISO) from a physical drive. FTK Imager is one of forensic tools kit which has this function. File verification must follow the image file so that matching hash value is crucial for this step. File verification is the process of using an algorithm for verifying the integrity or authenticity of a computer file. A more popular approach is comparing hashes value between the physical drive and file image. Founding two or more file with the same name on the image output from the physical evidence become a big issue by the investigator to determine the authentic file. The big question arose when someone altered several files on the physical drive before investigator creates an image of the device or known as tampering. File tampering is an intentional modification of a file in a way that would make them harmful to the users. It is dangerous if these files especially with affect the verdict of criminal crime at the court.

Literature Review
Metadata is structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use, or manage an information resource. Metadata is often called data about data or information about information (NISO, 2001). Metadata often determines the verdict at the courts. Metadata describes when file been created, modified, and last accessed. This information sometimes leads who conduct the crime. The smartphone has a lot function to create a file and also record its metadata which commonly includes the GPS coordinates of the recording location on file metadata. The file metadata often includes details about the software or equipment used to capture the recording depend on the user settings.

Tampering in law perspective means illegal or improper alteration of, or interference with, a document or evidence; or meddling or negotiating with a witness to influence his or her testimony (Business Dictionary, 2016).

Methodology
This research will investigate how to differentiate between the original file and fake file based on its metadata. The investigation process will use SiteFile Date and Launch MetaClean Anti-forensic software to alter and change the file metadata and analyze the impact of it. This research will use Autopsy and FTK Imager to detect fake metadata. The methodology of this research comprises of:
  1. Create or copy three files in the Flash Drive with different format JPG, Microsoft Word Document, and PDF respectively;
  2. Record the metadata of these files by using right-click and view on property in Windows and directory entry on Ubuntu;
  3. Copy these files and alter its metadata by using SiteFile Date and Launch MetaClean;
  4. Record the metadata of these files by using right-click and view on property in Windows and directory entry on Linux-Ubuntu then compare with the original metadata;
  5. Analyze the two different file metadata by using FTK Imager and Autopsy as well;
  6. Record the result and make a conclusion.
The investigation process begins by creating several files with having a different format. It will create three files with having Microsoft Word Document, PDF, and JPG format file respectively.

Figure 1: Three files as the investigation object


Source: File creation by author

The second step is recording its metadata by using right-click and view the property on Windows Operating System.

Figure 2: Microsoft Word Document File Metadata




Source: Personal Statement.docx properties

File Personal Statement.docx was created on November 10, 2014. This file copied into the flash drive on November 15, 2016, with the last modified on April 2, 2015.

Figure 3: PDF File Metadata



Source: Sertifikat.pdf properties

The PDF file metadata gives information when data been created and modified of file Sertifikat.pdf. The created date of this file on November 15, 2016, with the last modified date on April 6, 2015. 

Figure 4: JPG File Metadata



Source: File IMG_2057’s Properties

File with JPG extension has depth information of its metadata. File IMG_2057.JPG was taken on February 14, 2015. This file copied into the flash drive at November 15, 2016, and the last modified date is February 13, 2015. Furthermore, Linux terminal can also show the file metadata on the flash drive. It is straight forward by creating an image with using dd command and analyzing file metadata by using the blkcat command in the Directories Entry.

Figure 5: Directories Entry of the Flash Drive


Source: Linux-ubuntu terminal

The basic directory entry structure on FAT File System has given in Table 1.

Table 1: Directories Entry on FAT 32

Source: Retrieved from http://c-jump.com/bcc/

From the table, the creation date is on the 16-17 bytes, the access date on the 18-19 bytes, and the modified date is on the 24-25 bytes. Three of the tables below show how to convert Hexadecimal to Binary and Date.

The table shows how to convert file metadata from hexadecimal to date format.
The third step is use software application to change three of file metadata. SetFileDate 2.0 Software Application 2.0 will be utilized in this research to alter the file’s metadata.

Figure 6: Process of Changing file metadata



Source: Set FileDate 2.0

SetFileDate 2.0 is one of the anti-forensic software application with having devastation function. It can modify file metadata especially information about when the file was created, modified, and last accessed. Three of the file metadata will be changed by using this software to January 1, 1990. After changing the metadata, record the new file metadata and compare with the previous metadata.

Figure 7: Microsoft Word Document File Metadata has been modified by Site FileDate 2.0




Source: Personal Statement.docx properties
The metadata has changed (date created, date modified, and date accessed) but the time of content created and saved is not changed because SiteFile Date software application does not has the ability. This Research uses Launch MetaClean software to change metadata information about content created and date last saved.

Figure 8: Process of change metadata information using Launch MetaClean


Source: Launch MetaClean

The new Personal Statement.docx file metadata shows in Figure 9.
Figure 9: Microsoft Word Document File Metadata has been modified by Launch MetaClean





Source: Personel Statement.docx properties

Figure 10: PDF File metadata has been modified by Site FileDate 2.0



Source: Sertifikat.pdf properties
The result is all of the file metadata has changed.
Figure 11: JPG File Metadata has been modified by Site FileDate 2.0




Source: IMG_2057.jpg properties

Metadata on this file has changed except date taken. This Research uses Launch MetaClean software to change metadata information about the date was taken and acquired.
Figure 12: Change Data Taken of File IMG_2057



Source: IMG_2057.jpg Properties

The result is all of the file metadata has changed. Furthermore, figure 11 shows file metadata on the Linux-Ubuntu terminal.
Figure 13: Directories Entry of the Flash Drive


Source: Linux terminal













The result is all of the file metadata has changed.
The next step is to analyze the modified file metadata by using Forensic Tools Kit. This research will use FTK imager to create an image file and analyze it also Autopsy to analyze the file. The process of imaging file in figure 14.
Figure 14: Process of imaging file


Source: FTK Imager

Matching both of hash value is important in the process of imaging file. The output of imaging file is Modify Metadata.001 file with following with two files that contain a list of directory and record of hash value.

Figure 15: Image of the Flash drive

Source: FTK Imager

After creating an image file, open FTK Imager and autopsy and attach it. An FTK Imager and autopsy is one of the forensic toolkits useful for legal manner. This investigation uses these tools to analyze the file metadata all of the content on the flash drive.

Figure 16: Analyzing file Personal Statement.docx, Sertifikat.pdf, and IMG_2057.jpg by FTK Imager



Source: FTK Imager

The metadata of both files has changed, and FTK Imager cannot detect the original metadata. It is mean that the vulnerability of Microsoft Word Document, PDF and JPG file is very high. Whenever someone alters its metadata, it would be tough to know the original metadata.

Figure 17: Analyzing file Personal Statement.docx, Sertifikat.pdf, and IMG_2057.jpg by Autopsy




Source: Autopsy

In line with FTK Imager, Autopsy still cannot detect the original file metadata.

Result
File metadata can be seen either on Windows or Linux-Ubuntu operating system. It will change depend on file’s activity. This research uses three different format file Microsoft Word Document, PDF, and JPG. The anti-forensic software application can alter and modify the metadata of this file. This research tries to check the original metadata by using two forensic tools kit. Unfortunately, either FTK Imager or Autopsy can not detect the original metadata. Whenever someone alters its metadata, it would be tough to know the original metadata.

Conclusion
Tampering has a significant impact on file’s validity because it is very easy to change file metadata. The vulnerability of Microsoft Word Document, PDF, and JPG file make the perpetrator easily modify the file metadata. Changing its metadata have tremendous impact depend on the purpose. Police or other law enforcement agency should be aware of it.

References
Business Dictionary. (2016). Tampering definition. Retrieved from http://www.businessdictionary.com/definition/tampering.html.

Doug, C (n.d.). Forensic Protection: Detect and prevent file tampering in multimedia files. Retrieved from http://www.forensicprotection.com/Education_Authenticate.html.

Eager B (2012). A Tutorial of the FAT File System. Retrieved from http://tavi.co.uk/phobos/fat.html.
File System Data Structures (n.d.) Retrieved from http:// c-jump.com/bcc/.

National Information Standards Organization (NISO). (2004). Understanding Metadata. Bethesda, MD 20814 USA: NISO Press.




Comments

Post a Comment

Popular posts from this blog

Mobile Forensic Data Acquisition Methods

-
Image
Mobile Forensic Data Acquisition Methods When conducting data acquisition method on mobile phone, consider 5 data acquisition method that might be helpful for the result of investigation: Cellular data acquisition SIM file system acquisition Logical acquisition Physical acquisition File system acquisition Otherwise, Mobile storage and evidence locations can be located on several location including: Internal memory (RAM, ROM or flash memory (NAND/NOR) is used to store mobile phone’s OS, applications and data) SIM Card (Stores personal information, address books, messages, and service-related information) External memory (Stores personal information such as audio, video, images, etc) Extraction methods on mobile phone consist of several methods depend on the type and brand of the phone: Apple & Blackberry :- Vendor of OS and hardware. Symbian & Android & Windows :- Different vendors for OS and hardware ( Proprietary OS).  Consider these steps whe...
Read more

Big Data Analysis in Public Sector: Opportunities, Tools, and Ethics

-
Image
Big Data Analysis in Public Sector: Opportunities, Tools, and Ethics Hendratna Mutaqin Abstract Big Data has a significant role in helping the individual, corporate, and government to get a better decision-making which supported by credible evidence. The problem emerges when traditional approaches cannot handle the big data so that sophisticated tools like Hadoop, Visualization Product, NoSQL are required to deal with it. Although having many advantages, the users have to follow the big data ethical rules. Big data ethics must be concerned to evitable any indictments from the other party. Introduction Big data analytic helps users to make predictions and solve problems. It can reduce the mistake when making a prediction, reducing cost of living and increasing the income. The vast, unstructured, and unsolved by traditional methods will be challenged to analyze the big data. This paper discusses the opportunity of big data for the public sector, technologies to handle and th...
Read more

How to get a bitlocker password?

-
Image
The easiest way to find your bitlocker password is by using Command Prompt. 1. Type cmd on your windows and run as Administrator 2. C:\Windows\system32>manage-bde -protectors -get c: BitLocker Drive Encryption: Configuration Tool version 10.0.19041 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: [System] All Key Protectors  Numerical Password:       ID: {06AE1787-XXXXXXXXXXXXXXX}       Password:         715869-275543-0555554-2DDD4-AAAAA-BBBBB-YYYYY-XXXX Now you can find the bitlocker password. The command below is to find bitlocker password for Drive D C:\Windows\system32>manage-bde -protectors -get d:
Read more