In the recent years, the world has experienced the greatest growth in technology in history. As the nation is experiencing the increased use of mobile devices and other interconnected devices, the use of computers has become not only the center of incidents but also playing major roles in the investigation process. Keyword and metadata search is a process of identifying the specific type of tags or Meta tags, which appear in the HTML codes of a given web page and it helps in telling search engine the type of information on a given page. Keyword and metadata are different from other keywords because they appear behind the schemes. The purpose of this paper is to explain the importance of keyword and metadata search and the procedure for conducting this kind of search. The paper will also describe some of the real forensics search tools that will be used in analysis and classification of a case involving a high profile cybercriminal. Although the development of technology has contributed to the development of new types of crimes including hacking, internet bullying, online frauds, stalking and others, computer forensic analysts are using different forensic tools to identify, analyze, preserve, and present digital evidence which is essential in solving crimes.
The Importance of the Keyword and Metadata Search
Keyword and Metadata search as the most common tools used by computer forensic in finding evidence of cyber-related crimes. Keyword search is fundamental that entails searching for a single or multiple words in a document while metadata search is search technique, while metadata search is a process where investigators are allowed to search for data constrained on definite metadata of a document. While using the metadata search, the investigator is able to use Name Attributes. With the dramatic increase in online activities and social networking activities, privacy and security issues have become more essential. Due to this issue, computer forensic search is using keyword and metadata search identify relevant evidence on data sets. The use keyword and metadata search have been facing major challenges where if these computer experts use the wrong keywords or metadata in their search, they end up missing some important elements or resulting to irrelevant results. However, whenever appropriate keyword and metadata search are used, there are major benefits. One of the benefits is that the investigators can go through millions of documents without reading any part, and be able to compile a short list of the relevant information based on the keyword. The process which is commonly known as keyword searching can be used to understand the information suspects of cybercrime are looking for so that the evidence can be used to prosecute the criminals. Before the development of keyword and metadata search, prosecuting cybercriminals was impossible because the security experts could not provide any evidence to link them with their crimes. Secondly, through forensics carving, keyword and metadata search has made it possible to extract searchable data from areas of deleted data, unused data, and volatile data. These help computer forensics to gather evidence created by automated processes or modified so that it can be easy to hide it.
Procedure for Conducting a Keyword and Metadata Search
When conducting a keyword and metadata search in computer forensics, two main procedures can be employed namely searching for a keyword in a document, or searching for a specific type of file. Keywords data search is used identify documents that are either privileged or responsive. Therefore, it is the best to use for filtering and large-scale culling of data. The procedure for keyword and metadata search is as follows:
Reducing The Search Space
Reducing the search space is the first stage in conducting keyword and metadata search. During this stage, experts are expected to determine the files that are of probative value and those that are not. For example, computers belonging to cybercriminals can contain at least 10, 000 files or even more hence creating a need to conduct a manual analysis of the huge number of files to have a manageable number hence easy searching.
The hash analysis is a process where hashes of files are compared to another set of files which have known content. During this stage, files will fall into the known category. In most cases, the known files are assumed.
Keyword and metadata search process occurs after the investigator has reduced the space by identifying and filtering the known files. By executing the following command, investigators are able to understand the matching words, statements of phrases.
# grep –i –r –f keywords /image/* > /evidence/grep. Results
When using grep, it is possible to search multiple keywords at the same time. Investigators are required to create a file with possible keywords, and the file is used to search in other files.
Real Forensics Search Tools being used in these Efforts
Currently, The Sleuth Kit (TSK) is the most common tool used in the real forensic search. The Sleuth Kit (TSK) is a collection of Window-based and UNIX utilities which aid in facilitating the forensic study of computer systems. This tool is categorized into two different tools namely Macrobber and Mactime. Macrobber is used to conduct digital investigations by collecting data from allocated files. When using Macrobber, the data need to be on a mounted file system for example when analyzing a dead or live system in the forensic lab. On the other hand, Mactime creates ASCII timeline of files based on the output of the tool. When using this tool, computer forensics is able to detect reconstructed events and anomalous behaviors.
The types of data, and files that can be recovered using keyword metadata searches
The data type data and files obtained using keyword metadata searches depend on the tools used. However, some of the most common data and files that can be recovered include images, text, browsing library catalog records, transcripts, video, audio, Global Positioning System (GPS) coordinates, and signatures.
From the above information, it is clear that computer forensics can use keyword metadata search to identify different items from cybercriminal computers. Some of the search tools that can be used include Macrobber and Mactime from Sleuth Kit (TSK) to recover different types of data and files.
- Beebe, N. L., & Liu, L. (2014). Ranking algorithms for digital forensic string search hits. Digital Investigation, 11, S124-S132.
- Pan, Y., Xie, G. T., & Yuan, N. (2016). U.S. Patent No. 9,275,144. Washington, DC: U.S. Patent and Trademark Office.
- Zhou, A. J., Luo, J., & McGibbney, L. J. (2016). Multimedia Metadata-based Forensics in Human Trafficking Web Data. Vanessa Murdock, Charles LA Clarke, Jaap, 10.