I've found a text editor that works very well for examining files of all types... it is called Ultra Edit. It's shareware, and very reasonably priced. It will allow you to examine files in both character and HEX mode - with easy conversion from one to the other. It also has many other nice features.. (I get no commission for this, I've just found it extremely handy).... See http://www.ultradedit.com for the code. You could use it to examine the editing tracks left behind by MS Word (inserts and chained into the doc at the end, for example, and not imbedded in line (unless the file is saved with a new name and reloaded, or saved in a portable format (.txt, .rtf. etc.) and then reread. Even an exact copy might have different tracks left in it - though it prints out the same. It's also quite possible that one person found a *.tmp file on a public terminal left behind by another student.. if you're not aware that MS Word keeps working copies in the 'temp' directory (usually c:\temp or c:\tmp), it's fairly easy to rename one of these files and recover your (or someone elses) work on a public terminal. Are there any kinds of logs to show when users were logged on to public terminals (if the work was done in a lab)? That might provide some audit trail evidence, if available. msh --------------------------------------------------------- Michael S Hines | Phone 765-494-5875 Purdue University | FAX 765-496-1380 Management Information | Email mshinesat_private OS/390 Systems Programmer | Certifications: 1061 Freehafer Hall | CIA, CISA, CFE, CDP West Lafayette, IN 47907-1061 | -----Original Message----- From: pigletat_private [mailto:pigletat_private]On Behalf Of Tim Haynes Sent: Thursday, September 20, 2001 2:46 AM To: Nicole Haywood Cc: crazybarryat_private; forensicsat_private Subject: Re: Forensics on Word Documents Nicole Haywood <N.Haywoodat_private> writes: > BTW thanks everyone for their suggestions. And yes the windows strings > utility came in very handy, as I didn't have access to unix to examine > files. > > For those that are interested I am investigating a case of academic > misconduct. Basically two students handed in the same assignment, and one > is claiming the other student stole it, so I was trying to work out if > there was any evidence in the word document itself which might indicate > which student is telling the truth. Um. There are a multiplicity of ways in which the contents of one .doc file could've wound up in the other; someone could've cut & paste the content, or exported it via RTF and converted it back, in which case the metadata from the *destination* installation of Word would be present, and that metadata only. Hence, if can miss a positive. One thing that comes to mind is that if `quick save' is enabled, you get edits appended after the body text - ie it's no longer a bulk all-in- one-place linear thing. You could tell if that was different between the two docs, although I'm not sure that's any use for checking if it's been copied. I think that nothing can be gained by going via `strings' that couldn't have been seen by looking at the doc in Word itself to check properties and author information, and by running a complete print-out and looking for areas of extreme similarity or obvious duplication. ~Tim -- They did a dance called America |pigletat_private They danced it round |http://spodzone.org.uk/ And waited at the turns | ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 13:26:42 PDT