School of Information Systems

Types of Metadata

10 Nov 2023

There are different types of metadata that can be found in a digital file, these include:

  • File name: The name assigned to the file when it was first generated can be helpful in determining where it came from. Additionally, this can be used to pinpoint a specific malware variant.
  • File Size: This can be used to determine a file’s size and whether it has undergone any modifications. There will be some differences in a file’s size from the original if an attacker modifies it. If malware makers release new versions, this can also be helpful for identifying them.
  • Date edited: Knowing when a file was last edited might assist determine whether or not an attacker modified it. A file’s date of modification will not change if it is not edited.
  • Location on Disk: If a file is stored compressed, its location on disk can be used to locate it. For instance, it would be plausible that someone else updated the file if it was saved in the same folder as other files that weren’t altered by an attacker but were.
  • File Hash: A modified file will have a different hash value than the original one if it was altered by an attacker. An individual number that can be used to identify certain files is known as a hash value. This can be useful in determining whether an attacker updated a file.

How do hash values work?

you’re unclear on what a hash value is. A mathematical procedure that generates a different integer for each file results in a hash value. This number is computed using a hash function. Every single piece of data, including text, photos, and video files, gets its own “hash” (or fingerprint) thanks to a hash function. This makes it possible to determine whether anything has undergone any changes since it was first made.

The advantage of employing hashes is that they let you verify whether your system’s state has changed over time (inadvertently or on purpose). A file’s hash value would remain the same during forensic investigation if there have been no modifications made to it when it was created till today. By checking against previously acquired hashes containing known versions of malware samples or other pertinent items such as user accounts or other data, this method can also be used to compare two pieces of evidence together and to identify new evidence when only partial information about its source is available.

Joni Suhartono