Saturday, July 09, 2005

File Metadata

I've been working on my GMU2005 presentation regarding file metadata on Windows systems...basically, showing the types of metadata that are in and associated with various files on Windows boxen.

The stuff I've covered includes Office documents (I even include my MergeStreams demo, b/c it's way cool), PDF documents, Event Log files, and PE file headers. I also cover NTFS Alternate Data Streams and MAC times.

Am I missing anything really obvious here? My goal with this presentation is to tell the audience, "hey, guys and gals...there're all these files on Windows systems, and they're usually there by default, in many environments. There's a lot more information you can pull from them than just the fact that they exist."

I'm just trying to do a sanity check. I went back through my book to see if there's anything I really missed, and I think I've got it. Sometimes, you get to doing this stuff so often, that you stop seeing how important it is for others in the field to know it...you stop seeing the forest for the trees, so to speak.

Oh, and I emailed the guy in charge of the GMU2005 conference, and asked if I could be squeezed in at the last minute with a presentation on the Event Log file format. I specifically asked to get a slot during prime time...not at 5pm on the last day. We'll see how it goes...but I'll be putting the actual presentation together next week and getting it in the approval pipeline. That'll give me 5 presentations at a single conference. Ouch!

And yes, once the presentations have been approved for public release, I'll post them.

10 comments:

Anonymous said...

Can you make sure the prefetch directory and its significance is covered?

Keydet89 said...

Well, the Prefetch directory really isn't a "file", per se, but I don't see why I can't throw .pf files in there.

Is this something you're finding a lot of use for? Are there any specific questions you think should be answered with regards to the Prefetch dir/.pf files?

Anonymous said...

True, it's not a file, per se; however, it is very useful information that is too often overlooked and misunderstood. Also, while the information found in the prefetch directory is not usually described as metadata, it is data that describes other data. [http://en.wikipedia.org/wiki/Metadata]

Keydet89 said...

Yeah, I got that...but what I'm really trying to get at here is, what are your specific questions or concerns? Is there something in particular that you want to know, or think others should know?

SAL said...

Harlan,
..stop me if you heard this one...(grin)

One item I have found myself explaining is the metadata in relation to email messages. I'm thinking of two examples, one- breaking down message headers and two- timestamps of mail messages.

The first is fairly straightforward and Im a bit hesistant to refer to a message header as "metadata" per se but I think it could fit. The second example is the Modified timestamp of an Outlook XP/2003 message. I think one thing that gets some people thinking is showing them that a message already received or sent in an outlook pst file can be opened, edited then re-saved(altered).Showing how and when this timestamp gets altered can be useful.

Keydet89 said...

SAL,

Can you send me your email address? We've moved on to email headers, and I'm still stuck on what specifically you're looking for with regards to files in the Prefetch directory.

Pardon me for thinking too linearly, but I tend to have to process one thing (particularly if it's interesting) before moving on to another.

Thanks!

SAL said...

heh, thats not me commenting on PF files

Keydet89 said...

Ooops...sorry about that. I guess it's really hard to keep up when folks use "Anonymous" and don't add any ID to the post itself.

SAL said...

S'ok, but here I WILL comment briefly on PF files....I probably want to think about it a bit more, but initially I guess it'd be interesting to show the "metadata" portion that is stored in a PF file that describes the application its prefetching. I havent actually done any hunting inside a PF file yet but Im now curious...

Another dataset would be to show the signficance of MACs of a PF file to show a user's repetitive use of a certain program: since PF files do not get created on first launch, then its possible to show a user has used a certain application more than "accidently".

Keydet89 said...

SAL,

The stuff w/ the PF files is pretty easy. One of the Unicode strings within the .pf file is the path to the executable image file.

The significance of the MAC times is really easy to test. Simply clear the directory on your machine, and run...oh, say, Notepad. Note the MACs of the .pf file that's produced. Run some other files. Wait a couple of hours or a day or so, and go back and re-run the apps, and note the MACs again.