Re: Forensics on Word Documents

From: daniel heinonen (d.heinonenat_private)
Date: Mon Sep 17 2001 - 15:59:09 PDT

Next message: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"

Previous message: Cory McIntire: "New Worm ?"
Maybe in reply to: Nicole Haywood: "Forensics on Word Documents"
Next in thread: Bruce P. Burrell: "Re: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Nicole,

Below is a modified copy of a previous post relating to word times.  Most 
of this is based on me sitting in front of word 97 and trying things 
out.  As some other person mentioned "what are you looking for" if you give 
me more info I might be able to work out more.  You probably are referring 
to Word 2000 as Australian universities get it cheap under caudit.  Oh well 
since you did not mention a version I will tell you everything about Word 
97 : ) Oh and please do tell if you find what you are looking for.

When you go into windows explorer and right click and say new word document 
it will create a file with the following properties.  Btw i have found the 
best way to view these items is in windows explorer and right click on the 
file and select properties.  However W2K does not show you statistics where 
NT and 98 will.

General tab:
CREATED	Friday, July 06, 2001 10:09:17 AM
MODIFIED	Friday, August 01, 1997 8:37:00 AM
ACCESSED	Friday, July 06, 2001 10:15:01 AM

Statistics tab:
CREATED	blank
MODIFIED	Friday, August 01, 1997 8:37:00 AM
ACCESSED	Friday, July 06, 2001 10:15:01 AM

Now when you first open a document it fills in the Created and modifies the 
Last accessed times as present.  The august 01, 1997 above time is from the 
c:\winnt\shellnew\winword8.doc file.

When you first open a document or create on from within word the created 
and modified times change to suit. When you open a document then save the 
last accessed and modified times will change.  These items only get changed 
when you press save.

Also just for your information word 97 stores the last 10 authors by 
default.  This is stored with the authors name having a space after each 
character. E.g. if author is "daniel" it is stored "d a n i e l"

Word Microsoft kb articles of relevance:
Q172875 - WD97: General Document Properties Incorrect During Save
Q223790 - WD97: How to Minimize Metadata in Microsoft Word Documents
Q195005 - WD97: Some Document Properties Populated Automatically

Another site that might help would be the follow which includes the binary 
format for word 97 files
http://www.redbrick.dcu.ie/~bob/Tech/wword8.html

-Daniel Heinonen


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Pedro Miller Rabinovitch: "New worm? 'readme.eml'"
Previous message: Cory McIntire: "New Worm ?"
Maybe in reply to: Nicole Haywood: "Forensics on Word Documents"
Next in thread: Bruce P. Burrell: "Re: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 08:14:16 PDT