Metadata as a Silent Witness: What It Can Reveal About Your Case
Copyright 2026, Steve Burgess
Every digital file has two stories to tell.
The first is the one you can read — the contract, the email, the photograph. The second story is invisible, buried in the file itself, and it doesn’t care what the first story says. That second story is the metadata, and in four decades of forensic work, I’ve watched it blow up more than a few very confident cases.
Think of metadata as the file’s diary. While the document presents its polished face to the world, the diary in the background is quietly recording everything — when the file was actually created, who created it, what software was used, how many times it was edited, and sometimes even where on the planet the device was sitting when someone hit “save.” The document will say whatever its creator wants it to say. The metadata just tells the truth…your own little whistleblower.
What Exactly Is Metadata?
Metadata is data about data. (Computer scientists have a gift for naming things that would bore a golden retriever to sleep, but this one is actually accurate.) Every file type carries it, and every file type carries different kinds.
A Word document records the author name, the organization the software is registered to, creation date, last modified date, total editing time, and sometimes a revision history that shows you every embarrassing draft along the way. A PDF carries similar but more limited information – still with details about what application generated it. A photograph records the camera model, lens settings, and — if the camera or phone had GPS enabled — the exact coordinates where it was taken, accurate to within a few feet. An email carries IP address headers that can tell you where in the world it actually originated, regardless of what the “From” line shows. Even a simple spreadsheet logs who last touched it and when.
All of this is invisible in normal use. Open a contract in Word and you’ll see the contract. Open it in a forensic tool and you might see the contract’s entire biography.
The Contract That Wasn’t
A few years ago, I was engaged in a criminal case where the defendant – a truckler – produced an alleged agreement signed months earlier, in order to justify having let a truckload of perishables perish – the latter potentially being a Federal crime. The defendant produced a MS-Word document and a PDF of the email to which it was attached.
The defense attorney asked me to take a look.
Metadata showed previous versions of the document that were months later than the current version of the document. I told the attorney that the defendant must have manually backdated his computer so that the file would look like it was created a long while before it actually was. And that a police forensic examiner was likely to find this out as well.
Busted!
There’s not an attorney around that wants to find his client lying to him.
The defendant had created a document, backdated the content, and either forgotten or didn’t know that the file itself would remember the truth.
The judge was very unhappy.
Unhappy judges aren’t good for dishonest defendants and jail time ensued.
The Photograph That Placed Someone at the Scene
Photo metadata — formally called EXIF data — is a gift to investigators and a headache for anyone who thought their location was private.
Modern smartphones embed GPS coordinates into every photograph by default. Most people don’t know this. Some people find out at exactly the wrong moment.
In more than one criminal case I’ve worked on, defendants claimed to be out of town on the day in question. The Public Defender had a hunch and asked me to examine the defendant’s phone and photos from around that time.
In one case, the EXIF data from one photograph showed it was taken at coordinates that put the defendant squarely in the city he claimed to have been away from — at the time he claimed to have been somewhere else entirely. In another, it showed the phone was nowhere near the scene of the crime at the time of the crime. GPS coordinates in a photograph, captured automatically at the moment the shutter clicked, are really hard to explain away.
The Email That Came From the Wrong Continent
Email headers are metadata too, and they’re something most attorneys never look at. When you view an email, you see the sender’s name, the subject, and the body. Behind all of that is a chain of technical information recording every server the email passed through on its way to you, including the originating IP address — the digital address of the computer or device that actually sent it.
I’ve examined cases where someone claimed to have received a threatening email from a business rival. A look at the email headers told a different story: the message had originated from an IP address registered to the supposed victim’s own internet service provider, in the same city, on the same block. Someone had sent a threatening email to themselves.
I’ve also seen the reverse — cases where a company denied sending communications to a former employee, and the headers showed the emails came straight from their own mail server. Denials are cheap. Headers are not.
When Metadata Helps Your Client — and When It Doesn’t
Here’s the thing that only some attorneys understand: metadata is evidence. It’s neutral. It will help you if the facts are on your side and hurt you if they’re not. What it won’t do is stay hidden.
If opposing counsel has a forensic expert and you don’t, they may be examining your client’s documents right now and finding things neither of you anticipated. Metadata doesn’t require a subpoena. It’s already in the file.
This means two things for your practice:
First, when you receive digital documents in discovery, don’t just read them. Have them examined. A document that looks perfectly legitimate might be telling a completely different story in the background, and you want to know that before the other side does.
Second, when your client is producing documents, know what’s in them before they go out. I’ve seen cases nearly derailed by metadata in the producing party’s own documents — revision histories that showed the “final” contract had been edited six times after the claimed execution date, or author fields that identified someone whose involvement was supposed to be unknown. Producing documents in PDF format strips some metadata, but not all, and there are forensic methods for recovering more than people expect.
Of course, I’ve had attorneys examine the metadata of their own guy’s evidence to see if their client was on the up-and-up. Sometimes they’re not.
A Note on Photos and GPS
If you’re handling any case where location matters — a slip-and-fall, a fraud claim, an alibi — it’s a good idea to ask whether photographs are in evidence. Then ask whether anyone has looked at the EXIF data. The answer to the second question is frequently no.
Most people share photographs constantly without any awareness that they’re broadcasting their exact location in the file. Courts have admitted GPS metadata from photograph EXIF data as location evidence. It’s the digital equivalent of a witness who was there, has perfect recall, and cannot be cross-examined.
What To Do About It
Get a forensic expert involved early. Not after you’ve already produced documents, not after discovery is closed, not the week before trial. Early.
A competent digital forensics examiner can tell you what the metadata in your documents actually says before you stake a claim on them. They can examine opposition documents and identify inconsistencies you’d never notice reading normally. They can authenticate photographs, trace emails to their source, and give you a clear picture of whether the digital evidence in your case is supporting the story you’re trying to tell — or quietly undermining it.
Metadata doesn’t take sides. It doesn’t forget. It doesn’t get nervous on the stand.
It just sits there in the file, waiting for someone to ask the right questions.
The Takeaway
Every digital document in your case has metadata. Some of that metadata is irrelevant. Some of it is the most important evidence in the file. You won’t know which until someone looks.
Don’t wait to find out from opposing counsel.
Steve Burgess has been doing digital forensics since 1985 and has examined more than 20,000 devices and pieces of digital evidence. He can be reached at (866) 345-3345 or steve@burgessforensics.com.
Don’t miss a single issue of our informative newsletter … Subscribe!