Article Preview
TopIntroduction
Metadata, in general, is "data about data" and in principle, it is a unique set of attributes (data) that describes the inconsistent possessions about the object (data) it's tailgating at all times. A digital forensic investigation visualizes the same definition as "evidence about evidence", resembling a set of clues (evidence) about an object of digital archaeological interest (evidence) as quoted in the digital forensic research works of Raghavan, S. (2013). Having the capability to pass through a filter over metadata that puts together the missing dots to locate a precise suspect document and prove its origin via reconstructing the timeline in a forensically sound manner. Most metadata are piggybacked to the context file displaying information such as file name, file size, file extension, modified, accessed, and created (MAC) timings. Metadata for a digital forensic investigator is a unique way to know something or everything that is fused around the actual data. It can be visualized as a cover layer closely surrounding a piece of evidence completely or partially at all times. So that the forensic analyst will have a better idea of what that evidence is all about and the potential clue it reveals to support the hypothesis of the investigator. Everything from the unique name, information on how data combines together, when and by whom the data was created, by whom the data was reproduced and lists of web pages visited by people, and even network packets and system logs can be classified as metadata. Balasubramanian, V., Doraisamy, S. G., et al., (2016) explains the ever-evolving lecture videos and proposes a multimodal metadata extraction system based on Naive Bayes and rule-based classification on keyphrases and topic-based segments of the video files.
The primary purpose of metadata is meant for sorting out the huge library, indexing them for easy access, fixing bugs, and versioning for tracking objects. The supplementary task of any standard library model in particular to metadata is helping the investigator to find the actual information they are looking for. It would make better sense for evidential data to be associated using a compelling relationship with each other via unique metadata matches. This classification of metadata not only makes their job easier but also promising to give a good reason for their algorithm proven right away. The traditional file system based metadata as portrayed by Daniel, L., & Daniel, L. (2012) covers the broad categories of more common types of metadata. It holds the time-stamp for their associated time zones accumulated by the operating system and chronologically rendered when an artifact/file is produced, accessed, or modified. The current day NTFS file system as explained by Casey, E. (2009) depicts the metadata created by the file system resides well within its traditional indexing data structure called Master File Table ($MFT). When compared with the traditional FAT based file systems, this NTFS metadata comprises several complementary metadata information like the origin, the current active status (disk or trash), and the access control permissions of the file.The present-day advancement in big data technologies via Hadoop and Cassandra by now has an inbuilt feature called a backup node by Krishnan, K. (2013) which contains the exact copy of the majority of the file system metadata. About one-third of the population of the files collected from the annual snapshots of windows computers by Agrawal, N., Bolosky, W. J., et al., (2007) were from the most commonly used top ten windows file formats namely exe, gif, jpg, mp3, wma, dll, htm, cpp, lib, and h. Rajendiran, K., Kannan, K., et al., (2020) emphasized the application of machine learning in cyber forensics to automate and enhance the investigation strategies.