Forensic investigation of a Word Doc?
I am in dispute with an employer.
I have a Word Doc, I saved and took a copy of, that says one thing.
They have the same Word Doc that they have changed certain parts of the text.
The issue will end up in court.
Is there anyway I can prove both files are the same files and that they have made changes after the fact?
Thanks for your time
I have a Word Doc, I saved and took a copy of, that says one thing.
They have the same Word Doc that they have changed certain parts of the text.
The issue will end up in court.
Is there anyway I can prove both files are the same files and that they have made changes after the fact?
Thanks for your time
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Strongly suggest that you leave your version untouched as much as possible. Make a copy of the original and then work with the copy.
Office files contain what I call external metadata, which is the Modified/Accessed/Created/
Hope this helps...
Office files contain what I call external metadata, which is the Modified/Accessed/Created/
Hope this helps...
Also when you open the file in Word and launch properties...in the Statistic tab you will see info like ....
Last saved by:
Revision number: 3
Total editing time: 1 Minute
Statistics: Statistic name Value
Pages: 1
Paragraphs: 1
Lines: 1
Words: 2
Characters: 9
Characters (with spaces): 10
Hope this helps.....goodluck
Last saved by:
Revision number: 3
Total editing time: 1 Minute
Statistics: Statistic name Value
Pages: 1
Paragraphs: 1
Lines: 1
Words: 2
Characters: 9
Characters (with spaces): 10
Hope this helps.....goodluck
It obviously depends on how much effort has been taken by the changer.
It would be difficult to change the creation date. The same date and time) would be a strong indication that the two documents started from one, and that at least one of them had been altered since. You can see this and some other useful data as document properties.
It would be difficult to change the creation date. The same date and time) would be a strong indication that the two documents started from one, and that at least one of them had been altered since. You can see this and some other useful data as document properties.
Tut. If I get called away, I must remember to refresh before posting hour-old comments.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A point of clarification on how and when creation datestamps change: Bearing in mind that there are a lot of nuances to deal with in forensic examinations, too much to cover here, the skinny simplistic explanation is...
The create date you see in external metadata (like in Explorer) usually reflects the time and date that a particular copy of a file came into being, or the moment that copy was "born." This is why you can copy a file to a new location and the new copy reflects the time of the copy, not the actual time of creation for the original file. IOW, it reflects the time that that particular copy came into existence. By contrast, if you move a file, it usually retains its original create date; no new file is created, the old one with its original create date is simply moved to a new location.
It's a lot more complex than this, but this is a very basic-level primer.
The create date you see in external metadata (like in Explorer) usually reflects the time and date that a particular copy of a file came into being, or the moment that copy was "born." This is why you can copy a file to a new location and the new copy reflects the time of the copy, not the actual time of creation for the original file. IOW, it reflects the time that that particular copy came into existence. By contrast, if you move a file, it usually retains its original create date; no new file is created, the old one with its original create date is simply moved to a new location.
It's a lot more complex than this, but this is a very basic-level primer.
Hello,
please take a look at NTFS Data-Streams. you can hide data and programms with that.
http://en.wikipedia.org/wiki/Alternate_Data_Streams
regards
please take a look at NTFS Data-Streams. you can hide data and programms with that.
http://en.wikipedia.org/wiki/Alternate_Data_Streams
regards
ASKER
Basically Word files are not safe at all (now that's a surprise from Microsoft!).
But I have learnt quite a bit today. Not sure if I will ever use it again but interesting read.
Thanks for your time
But I have learnt quite a bit today. Not sure if I will ever use it again but interesting read.
Thanks for your time
Right-click on the file and select properties...
In the general tab you will see info like....
Location: C:\Documents and Settings\Us\Desktop
Size: 9.67 KB (9,905 bytes)
Size on disk: 12.0 KB (12,288 bytes)
Created: Today, January 09, 2010, 7:22:04 AM
Modified: Today, January 09, 2010, 7:22:04 AM
Accessed: Today, January 09, 2010, 7:22:04 AM
In the Summary Tab you will see additional info (also click Advanced button)
Some of this data can be changed, but not all
Some more info on metadata.....
http://esqinc.com/Content/WhitePapers/10-Proven-Tips-Minimizing-Document-Metadata.php