• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 932
  • Last Modified:

Forensic investigation of a Word Doc?

I am in dispute with an employer.
I have a Word Doc, I saved and took a copy of, that says one thing.
They have the same Word Doc that they have changed certain parts of the text.
The issue will end up in court.

Is there anyway I can prove both files are the same files and that they have made changes after the fact?

Thanks for your time

  • 3
  • 2
  • 2
  • +3
2 Solutions
You can look at the files metadata....

Right-click on the file and select properties...
In the general tab you will see info like....

Location: C:\Documents and Settings\Us\Desktop
Size: 9.67 KB (9,905 bytes)
Size on disk: 12.0 KB (12,288 bytes)

Created: Today, January 09, 2010, 7:22:04 AM
Modified: Today, January 09, 2010, 7:22:04 AM
Accessed: Today, January 09, 2010, 7:22:04 AM

In the Summary Tab you will see additional info (also click Advanced button)

Some of this data can be changed, but not all

Some more info on metadata.....
Good article for reading...
Strongly suggest that you leave your version untouched as much as possible. Make a copy of the original and then work with the copy.

Office files contain what I call external metadata, which is the Modified/Accessed/Created/Size data you see when viewing the file in Explorer. They can also contain many, many fields of internal metadata (as mentioned by BBW above). This internal metadata only gets changed by the application, and it is usually more reliable than external metadata. The internal metadata is also often overlooked by those less knowledgeable, and it can contain a treasure trove of info, including (sometimes!) Last Author, the amount of time the last author spend editing the doc, etc.

Hope this helps...
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Also when you open the file in Word and launch properties...in the Statistic tab you will see info like ....

Last saved by:
Revision number: 3
Total editing time: 1 Minute
Statistics: Statistic name Value
Pages: 1
Paragraphs: 1
Lines: 1
Words: 2
Characters: 9
Characters (with spaces): 10

Hope this helps.....goodluck
It obviously depends on how much effort has been taken by the changer.

It would be difficult to change the creation date. The same date and time) would be a strong indication that the two documents started from one, and that at least one of them had been altered since. You can see this and some other useful data as document properties.

Tut. If I get called away, I must remember to refresh before posting hour-old comments.
btanExec ConsultantCommented:
The comparison of whether both document are the same depends to the extend you are looking for:
a) Visible content body in document
- You can try using this tool @ http://www.softinterface.com/MD/Document-Comparison-Software.htm
- You can read more @ http://www.codejacked.com/comparing-two-versions-of-a-word-document/
But this may not be sufficient for strong legal claim

b)  Visible content body and Visible metadata
- On top of (a), as mentioned by the BBW, file properties reveals the visible metadata. Can do manual comparison that can be more straightforward

c) Full content including hidden (or indirect like embedded OLE) metadata
- It can include internal timestamp, embedded macro, 'deleted text' (thru fast save option in Words, etc.
- I see that doing a full hash (computation of the full document bits by bits or sometimes they like to called it digital fingerprint) will be the most direct method and sound comparison. That has been utilised by various forensic tools like Encase, FTK etc. to remove duplicate for optimal processing
- You can try this tool md5deep or hashdeep (go for SHA256 for higher degree comparison) @ http://md5deep.sourceforge.net/

Overall, I will say that should have covered the content but audit trails of the files in the machines can complement and strengthen argument when dispute happened. File metadata can be manipulated tool by simply having the hex editor to open it and change those bits (or course the hash will be useful here to detect). There are also metadata removal tools that can erase the traces and by converting to PDF, it also remove the metadata (may not be all).
Last but not least, do also note that when copying files using Microsoft Windows, it will cause the new files to ('alter') the current date and time. You will also notice the last modified date remains the same. This explains why a files created date can be more recent than the last modified date.

The preservation is essential especially when dealing with evidence, read more on this and the tools available (you can try robocopy) @ http://www.pinpointlabs.com/research/preserve_file_timestamps.htm
A point of clarification on how and when creation datestamps change:  Bearing in mind that there are a lot of nuances to deal with in forensic examinations, too much to cover here, the skinny simplistic explanation is...

The create date you see in external metadata (like in Explorer) usually reflects the time and date that a particular copy of a file came into being, or the moment that copy was "born." This is why you can copy a file to a new location and the new copy reflects the time of the copy, not the actual time of creation for the original file. IOW, it reflects the time that that particular copy came into existence. By contrast, if you move a file, it usually retains its original create date; no new file is created, the old one with its original create date is simply moved to a new location.

It's a lot more complex than this, but this is a very basic-level primer.

please take a look at NTFS Data-Streams. you can hide data and programms with that.

NELMOAuthor Commented:
Basically Word files are not safe at all (now that's a surprise from Microsoft!).
But I have learnt quite a bit today. Not sure if I will ever use it again but interesting read.

Thanks for your time

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now