How Metadata Can Be a Fraudster’s Worst Nightmare

… and an investigator’s best friend

Posted by Dawn Lomer in Corporate Security on July 3rd, 2013

A simple Microsoft Word document, as harmless and straightforward as it may look, can contain a whole lot more information than you see at first glance. The same is true of any electronically created file, be it an email, a slide presentation, a photograph or a spreadsheet of numbers. And this information, unseen by those who don’t know where to look, can make a big difference when the document is part of the evidence in an ongoing investigation.

“Data in digital documents can show when somebody made changes to a document, who made the changes and what the actual change was,” says Christopher Rosetti, CFE, CPA and Partner – Fraud Investigations, BST. It can reveal the computer on which a document was created, the email address from which it was sent and the identities of those who have had input into the document, he says.

This kind of information can be helpful in a fraud investigation, when the origin and history of a document is relevant to the case. When someone creates a fake invoice, for example, an investigator can look at the metadata and see that the invoice was created on the fraudster’s computer, or from a template created by a fake invoice supplier.

“Individuals are trying to manipulate where emails came from, when emails were created and when documents were created,” says Rosetti. “They’re trying to make changes to documents which would suggest the change was made by somebody else when in fact it wasn’t.”

Digital DNA

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template
Rosetti compares metadata to “digital DNA” and provides examples of the kind of information the metadata in a document can reveal, including:

  • Name and/or initials of the creator
  • Company name
  • Name of the computer on which it was created or altered
  • Name of network server or hard disk it was saved on
  • Non-visible portions of OLE objects (linked and embedded files)
  • Names of authors
  • Document revisions
  • Document versions
  • Hidden text of cells
  • Comments

Metadata in an email message can reveal:

  • sender’s address book information
  • date a message was sent
  • date it was received, replied to and forwarded
  • to whom copies were sent
  • whether there were attachments

By understanding metadata and knowing where to look, investigators and attorneys can uncover valuable evidence to trip up someone who has created a fake document or changed a document fraudulently.

How to Trip Up a Fraudster

Take for example, the case of Merck, the pharmaceutical giant that falsified test results for one of its lucrative drugs. It was through metadata that attorneys in a product liability lawsuit were able to prove that the company had edited out negative test results from a 2007 Vioxx drug study. In fact, the existence of residual “tracked changes” accidently left in a Merck internal document indicated that Merck knew of potential dangerous side effects of Vioxx including heart attacks two years before placing the drug on the market.

“Fraudsters are just not aware of the fact that metadata is there and that it can be used to trace their moves,” says Rosetti. In a world that is becoming more and more digital, metadata can be a powerful tool to detect fraud, malfeasance and manipulation.


Dawn Lomer
Dawn Lomer

Managing Editor

Dawn Lomer is the managing editor at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.