Speaking Technical in eDiscovery: Understanding Metadata

Speaking Technical in eDiscovery Includes Understanding Metadata

In our last post, we discussed the role of digital forensics in eDiscovery. Our last post in the Speaking Technical series (for now at least) discusses perhaps the most important, yet most misunderstood, type of data there is – metadata!

Defining Metadata

The most common definition you hear about metadata is that it’s “data about data”. What does that mean exactly? The Sedona Conference® Glossary of Terms that we discussed in this post defines metadata as:

“The generic term used to describe the structural information of a file that contains data about the file, as opposed to describing the content of a file.”

It’s the data about the file (metadata) that can be useful to understanding the evidence associated with the content of the file and even confirm or refute that content as authentic.

Imagine if you were in New York at Legalweek and you witnessed an auto accident in front of the New York Hilton, so you take a picture of the accident aftermath with an iPhone. The picture, of course, is the content and the evidence of the accident. But the iPhone stores several metadata fields associated with the picture which can help to authenticate the evidence, including:

  • Date and Time: The iPhone tracks the date and time each picture was taken, which can prove you were there at the time of the accident.
  • Geolocation: Your Android or iPhone tracks the geolocation of each picture it takes, which can prove the picture was taken at that location.
  • Phone Description: The iPhone also tracks the type of phone that took the picture so that you can verify it was your iPhone (at least the same type of iPhone) that took the picture.

We’ve seen many cases where the metadata (or lack thereof) was used to refute the authenticity of the evidence, including this case last year, where the plaintiff’s fabrication of a text message exchange was confirmed after reviewing the metadata of the “picture” she supposedly took of it (including the fact that the version of the emoji used couldn’t have been displayed by her iOS version!).

Two Types of Metadata

Another important distinction regarding metadata is that there are two types of metadata and the metadata that you get will depend on how you collect the data. The two types are:

  • System Metadata: Created, maintained and stored by the operating system; and
  • Application Metadata: Created, maintained and stored by and within the application software.

Simple enough, right? So, a collection of files from a drive will get the application metadata, but not all the system metadata – to get that, you would need to perform a forensic image of the device. An example of a case where you might need to perform a forensic image to capture system metadata to help prove your case would be an intellectual property case with a former employee suspected of using a flash drive connected to their workstation to steal company intellectual property.

Metadata Can Sometimes Be Misleading

Sometimes, the metadata can be misleading because of how the evidence is handled. For example, you could have a file with a Date Created that’s more recent than the Date Modified!

How can this happen? If a file is collected using the “drag and drop” method of copying files, the Date Created for the copies reflects the date the copy was created, not the date the original file was created. The “drag and drop” method is not a forensically sound method for evidence collection. It’s important to use forensically sound practices in collecting electronic evidence to preserve the metadata needed to authenticate that evidence. Forensically sound collection doesn’t necessarily require forensic imaging, but there are best practices to collecting evidence that preserves the metadata of the collected files to facilitate evidence authentication.

Another example is illustrated by the recent case ruling in Arconic Inc. v. Novelis Inc. (covered here by Cobra LS Educational Partner eDiscovery Today here). In that case, the plaintiff filed a motion to recuse over the fact that orders filed by Pennsylvania District Judge Joy Flowers Conti contained author metadata from the special master’s staff, which happened because Judge Conti used documents already docketed as a template for her next opinion or order, which included the original author of that template document, not the author of the new order being filed. It’s important to understand the ways in which metadata fields can be populated to determine whether they can be counted on reliably to authenticate evidence.


When it comes to Speaking Technical about Metadata, there is a lot more to know that can be covered in a single blog post. Craig Ball’s guide Beyond Data About Data: The Litigator’s Guide to METADATA (referenced by Judge Conti in her decision above) is an excellent in-depth guide for understanding metadata and how it’s used in discovery.

In the next post, we’ll start our discussion of Speaking Project Management in eDiscovery with a discussion of setting project expectations and the “triple constraint” of project management!

For more information about Cobra’s Digital Forensics services, click here.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.