RE: Forensics on Word Documents

From: Rowe, Eric (ericat_private)
Date: Fri Sep 14 2001 - 14:53:32 PDT

Next message: Ricci @ ismart: "RE: RE: Special case in investigation"

Previous message: Rowe, Eric: "RE: Forensics on Word Documents (again)"
Maybe in reply to: Nicole Haywood: "Forensics on Word Documents"
Next in thread: Bruce P. Burrell: "Re: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

You might try looking for the temp files associated with the different
versions of the Word documents and check their time stamps.

Also, I haven't looked at headers in a long time, however you might try
decoding the information in each one's header if you have electronic copies
of all the versions of the document.  You may find time stamps there.

Printer logs might help too: they should contain the file sizes of documents
printed (among other things).  If the document was altered and then
reprinted at a later date you should be able to figure out which version was
printed first by correlating the file sizes with the print dates.  You
should also be able to see which user ran the print job.  You might check
the network backups for the different versions if they were saved on a
system that gets backed up regularly.

Anyone know a good url or other resource on decoding file header
information?

*************************************
Eric R. Rowe - A.C.F.Sc.
Computer Systems Coordinator
School of Nursing - UBC
(604) 822-7439
*************************************


-----Original Message-----
From: Nicole Haywood [mailto:N.Haywoodat_private]
Sent: Thursday, September 13, 2001 10:58 PM
To: forensicsat_private
Subject: Forensics on Word Documents


I've got to do a comparison on a couple of versions of word documents to try
to determine which was created first etc.

Is there anything any one can suggest I look at in a word document other
than creation date and revisions etc.

Thanks, 

Nicole

--
Nicole Haywood                          Phone: +61 2 93515504
Network Security Officer                Fax:   +61 2 93515001
University of Sydney                    Email: N.Haywoodat_private


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ricci @ ismart: "RE: RE: Special case in investigation"
Previous message: Rowe, Eric: "RE: Forensics on Word Documents (again)"
Maybe in reply to: Nicole Haywood: "Forensics on Word Documents"
Next in thread: Bruce P. Burrell: "Re: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 16 2001 - 23:03:03 PDT