RE: Forensics on Word Documents

From: Simon Wellborne (simon.wellborne@initiative-technology.co.nz)
Date: Sun Sep 16 2001 - 12:41:58 PDT

Next message: António: "Re: RE: Special case in investigation"

Previous message: aleph1at_private: "BOOK: Computer Forensics: Incident Response Essentials"
Maybe in reply to: Nicole Haywood: "Forensics on Word Documents"
Next in thread: Linden Anthony M Contr NAG/BALL: "RE: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You don't mention;
* Word version
* How you are examining the files
* Exactly what and why you are wanting the information you are (without
quoting specifics)

At first glance, time and date stamps would be your best bet!  Take note
that some network Server OS's (some versions of NETWARE for example) are
known to record date/time stamps incorrectly.

To help build a timeline for a document I would examine the machine(s) where
the document(s) were created, modified or read.

If you don't know what machine a document was created on, then you can;
* depending on your version and sp of Word/Office, locate the documents
imbedded PID_GUID that can help identify the machine it was created on.
* Examine the file with a forensic tool or a Hex Editor and find UNICODE
text that details autorecovery paths and document paths.

If you have access to the machine(s) the docs were created/modified on, I
would then look there for supporting evidence of document
creation/modification (TMP, LNK files etc).  

Other associations, such as when/if the document was printed etc.

This can all help put together a timeline for the documents in question and
help you in your inquiry.

I hope this helps,

Regards

Simon Wellborne

BTW: I would all be grateful if any private posts to you were forwarded back
to the group. - 


-----Original Message-----
From: Nicole Haywood [mailto:N.Haywoodat_private]
Sent: Friday, 14 September 2001 5:58 p.m.
To: forensicsat_private
Subject: Forensics on Word Documents


I've got to do a comparison on a couple of versions of word documents to try
to determine which was created first etc.

Is there anything any one can suggest I look at in a word document other
than creation date and revisions etc.

Thanks, 

Nicole

--
Nicole Haywood                          Phone: +61 2 93515504
Network Security Officer                Fax:   +61 2 93515001
University of Sydney                    Email: N.Haywoodat_private


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: António: "Re: RE: Special case in investigation"
Previous message: aleph1at_private: "BOOK: Computer Forensics: Incident Response Essentials"
Maybe in reply to: Nicole Haywood: "Forensics on Word Documents"
Next in thread: Linden Anthony M Contr NAG/BALL: "RE: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 16 2001 - 22:55:21 PDT