MetaFor: Metadata Signatures for Automated Remote File Identification in Forensic Investigations

The increased use of the Internet to store data ensures that it provides a valuable resource for a forensics examiner during an investigation. Of particular interest is evidence related to the dissemination of indecent images of children that are spread via social networking sites and Web fora. This paper posits a novel approach, MetaFor, which using a Web crawler searches for metadata signatures for automated identification of files residing on remote Web servers. In this way, it may identify potential repositories of illegal images or sources of evidence related to traditional crimes, such as utilising geo-location metadata to identify digital pictures taken during a crime in progress. This approach differs from other forensic signature schemes in that it utilises JPEG header metadata rather than image or file data as the basis of a signature. In this way, MetaFor can be extended to search for unknown files that may be relevant to an investigation. In order to demonstrate the applicability of the approach, this paper applies the approach to a case study of two Web servers and presents the results.