Forensic investigation of a Word Doc?

Posted on 2010-01-09
Medium Priority
Last Modified: 2012-05-08
I am in dispute with an employer.
I have a Word Doc, I saved and took a copy of, that says one thing.
They have the same Word Doc that they have changed certain parts of the text.
The issue will end up in court.

Is there anyway I can prove both files are the same files and that they have made changes after the fact?

Thanks for your time

Question by:NELMO
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3
LVL 14

Expert Comment

ID: 26273314
You can look at the files metadata....

Right-click on the file and select properties...
In the general tab you will see info like....

Location: C:\Documents and Settings\Us\Desktop
Size: 9.67 KB (9,905 bytes)
Size on disk: 12.0 KB (12,288 bytes)

Created: Today, January 09, 2010, 7:22:04 AM
Modified: Today, January 09, 2010, 7:22:04 AM
Accessed: Today, January 09, 2010, 7:22:04 AM

In the Summary Tab you will see additional info (also click Advanced button)

Some of this data can be changed, but not all

Some more info on metadata.....
LVL 14

Accepted Solution

BigBadWolf_000 earned 1000 total points
ID: 26273338
Good article for reading...

Expert Comment

ID: 26273379
Strongly suggest that you leave your version untouched as much as possible. Make a copy of the original and then work with the copy.

Office files contain what I call external metadata, which is the Modified/Accessed/Created/Size data you see when viewing the file in Explorer. They can also contain many, many fields of internal metadata (as mentioned by BBW above). This internal metadata only gets changed by the application, and it is usually more reliable than external metadata. The internal metadata is also often overlooked by those less knowledgeable, and it can contain a treasure trove of info, including (sometimes!) Last Author, the amount of time the last author spend editing the doc, etc.

Hope this helps...
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 14

Expert Comment

ID: 26273381
Also when you open the file in Word and launch properties...in the Statistic tab you will see info like ....

Last saved by:
Revision number: 3
Total editing time: 1 Minute
Statistics: Statistic name Value
Pages: 1
Paragraphs: 1
Lines: 1
Words: 2
Characters: 9
Characters (with spaces): 10

Hope this helps.....goodluck
LVL 76

Expert Comment

ID: 26273492
It obviously depends on how much effort has been taken by the changer.

It would be difficult to change the creation date. The same date and time) would be a strong indication that the two documents started from one, and that at least one of them had been altered since. You can see this and some other useful data as document properties.

LVL 76

Expert Comment

ID: 26273504
Tut. If I get called away, I must remember to refresh before posting hour-old comments.
LVL 64

Assisted Solution

btan earned 1000 total points
ID: 26300995
The comparison of whether both document are the same depends to the extend you are looking for:
a) Visible content body in document
- You can try using this tool @ http://www.softinterface.com/MD/Document-Comparison-Software.htm
- You can read more @ http://www.codejacked.com/comparing-two-versions-of-a-word-document/
But this may not be sufficient for strong legal claim

b)  Visible content body and Visible metadata
- On top of (a), as mentioned by the BBW, file properties reveals the visible metadata. Can do manual comparison that can be more straightforward

c) Full content including hidden (or indirect like embedded OLE) metadata
- It can include internal timestamp, embedded macro, 'deleted text' (thru fast save option in Words, etc.
- I see that doing a full hash (computation of the full document bits by bits or sometimes they like to called it digital fingerprint) will be the most direct method and sound comparison. That has been utilised by various forensic tools like Encase, FTK etc. to remove duplicate for optimal processing
- You can try this tool md5deep or hashdeep (go for SHA256 for higher degree comparison) @ http://md5deep.sourceforge.net/

Overall, I will say that should have covered the content but audit trails of the files in the machines can complement and strengthen argument when dispute happened. File metadata can be manipulated tool by simply having the hex editor to open it and change those bits (or course the hash will be useful here to detect). There are also metadata removal tools that can erase the traces and by converting to PDF, it also remove the metadata (may not be all).
Last but not least, do also note that when copying files using Microsoft Windows, it will cause the new files to ('alter') the current date and time. You will also notice the last modified date remains the same. This explains why a files created date can be more recent than the last modified date.

The preservation is essential especially when dealing with evidence, read more on this and the tools available (you can try robocopy) @ http://www.pinpointlabs.com/research/preserve_file_timestamps.htm

Expert Comment

ID: 26301167
A point of clarification on how and when creation datestamps change:  Bearing in mind that there are a lot of nuances to deal with in forensic examinations, too much to cover here, the skinny simplistic explanation is...

The create date you see in external metadata (like in Explorer) usually reflects the time and date that a particular copy of a file came into being, or the moment that copy was "born." This is why you can copy a file to a new location and the new copy reflects the time of the copy, not the actual time of creation for the original file. IOW, it reflects the time that that particular copy came into existence. By contrast, if you move a file, it usually retains its original create date; no new file is created, the old one with its original create date is simply moved to a new location.

It's a lot more complex than this, but this is a very basic-level primer.

Expert Comment

ID: 26405744

please take a look at NTFS Data-Streams. you can hide data and programms with that.


Author Closing Comment

ID: 31674991
Basically Word files are not safe at all (now that's a surprise from Microsoft!).
But I have learnt quite a bit today. Not sure if I will ever use it again but interesting read.

Thanks for your time

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface: When I started this series, I used the term CommandBars because that is the Office Object class that it discusses. Unfortunately, when Microsoft introduced Office 2007, they replaced the standard Commandbar menus with "The Ribbon" and rem…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This video teaches the viewer how to align pictures around text while keeping the text properly aligned in the document.
This video shows where to find templates, what they are used for, and how to create and save a custom template using Microsoft Word.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question