I have a couple questions I would like to have a brief duscussion about. My legal team (unbuhleevably) knows it all… I have a very solid understand of Metadata and how it works, but I would like input from the forensic community to backup my rulings!
What is the best way to preserve metadata (please include tools) in a Windows environment? Does "burning" data collected using any CD/DVD writing tool change the "Last Modified Date" attribute on the files?
Please be verbose in your responses as I'm sure any of you Litigation Support folks can use this string to educate your Attorneys.
> What is the best way to preserve metadata (please include tools) in a Windows environment?
Depends on the metadata. If you're referring to MAC times only, then yes, burning the files to CD/DVD will have an effect on these files. However, it does depend on the source…if you're extracting the files from an acquired image or a write-protected source, then you will have the original data as a reference. Another way to address this is to capture MAC times first, and then extract/copy/burn the file.
Another issue to be aware of is NTFS alternate data streams…burning files to CD will remove the ADS, as CDFS != NTFS.
Other metadata embedded in files (Word docs, PDFs, etc.) rides along with the file itself.
HTH
in relation to ADS being lost when burning, there's a piece of free software called "lads" that Lists Alternate Data Streams (hence the name) - run it against the files to burn to make sure you're not going to lose anything in that department.
LADS http//
The safest way to copy files to another location for review or electronic discovery processing is to use a hard drive or removable media as the target and a copy process that retains file system metadata (timestamps). Robocopy, XXCopy or SafeCopy will work and are free. SafeCopy was an application we built as a GUI for Robocopy (DOS based app from Microsoft). Its free and you can download SafeCopy from
The next point to make is that if you are going to process the files through an electronic discovery phase the metadata will be changed multiple times during processing. This is why it is important to capture metadata at the beginning of the process before it is altered. Although many times it has been altered from the original system because the files were harvested/copied improperly.
By the time a files goes through an electronic discovery (ED/EED) process and is produced to other parties there are many changes that can take place. Its important to note that opposing/co counsel will not (most likely) receiving the same version of the file that was pulled from the clients computer.
In addition to SafeCopy we are in the process of building an application that will capture the original file metadata, encrypt, compress and provide extraction on a target system while writing back the original file timstamps/metadata from the original file. Our goal is to provide a tool where a firm could share files with examiner/experts and retain all the original data. Additionally, you could use it to copy a set of files to a DVD and when they were being analyzed have all the original data in tact once they were restored from our datastore.
If anyone on the board interested in being notified when the application is completed or for a beta release copy drop me a line at jon.rowe@pinpointlabs.com. Please include 'SafeCopy II' in the subject.
Regards,
Jon Rowe
jon.rowe@pinpointlabs.com