Creation of tempora...
 
Notifications
Clear all

Creation of temporary files "~$" in Windows 8.1

6 Posts
2 Users
0 Likes
778 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

I am investigating what potential causes exist for temporary files beginning with "~$" to be created in a Windows 8.1 environment related to Microsoft Word, Powerpoint and Excel files specifically and hoping for some sage guidance from the brilliant minds at forensicfocus.com.

For example, with the option to "see system files" turned on, I can see in Windows explorer that opening a file called "Example.docx" in Word 2013 will cause a file called "~$ample.docx" to be created in the same directory as "Example.docx" until such time as I close the file "Example.docx" (at which point "~$ample.docx" disappears from Windows explorer).

As part of my testing, I used FTK Imager 3.1.1.8's "add evidence item" feature to look at my computer's C\ drive. Within FTK Imager, I could still see the "~$ample.docx" file, which is now showing up with a little red "X" through it meaning it is now a "deleted file".

What is strange is that FTK Imager is showing a "Date Modified" value of 6 hours in the future for the "~$ample.docx" file! Not sure why this impossible date value is showing in FTK Imager.

I then used FTK Imager's "Export Files" function to export the "~$ample.docx", and looked at the MAC properties of the now recovered "~$ample.docx" file and see the original correct MAC values of when I originally opened the "Example.docx" file.

I am curious if anyone has performed any analysis or is aware of research they could share around the root causes of what actions create this sort of "~$" temporary file in an Windows 8.1 environment?

Can anyone state definitively that the "~$ample.docx" file can only be created as a result of a human being opening the "Example.docx" file in Word in a Windows 8.1 environment?

Is anyone aware of other causes for files such as "~$ample.docx" to be created such as a virus scan, a user enacted search of a directory of Word files, or Window's indexing process, or some other indirect cause?

Can anyone please point me in the direction of research showing why temporary files such as "~$ample.docx" may remain on a hard drive even after the related Word file has been closed? Perhaps premature shutting down of a system while Word is still running, or ejecting an external drive while Word is still running (and thus leaving "~$ample.docx" type temporary files on the external drive)?

Many thanks in advance!

 
Posted : 13/11/2014 8:35 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

With all due respect ) , you have it wrong. 😯

The behaviour of creating a temporary file is not connected to Windows 8.1 specifically, it is the "normal" way Word operates (previous versions of Word did the same, but with .doc files instead) on all windows systems.
If Word crashes, the file is used I believe in the built-in recovery.

Cannot really say why FTK would see a different date/time for the file (BTW are you sure that this is not connected to timezone/UTC?), but you should check with another tool and, more than that, a .docx is actually a "plain" .zip file, so if you open it in any archive manager, you can see the internal structure, and \DocProps\core.xml should contain the fields dctermscreated and dctermsmodified that may help
http//www.forensicswiki.org/wiki/Word_Document_(DOCX)

jaclaz

 
Posted : 13/11/2014 4:11 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Thank you! You did answer my question regarding Windows 8.1 having any relationship to the creation of the "~$" temporary files.

I opened my test Word file using WinRar and extracted the core.xml file and saw the embedded Date Modified and Date Created (see below).

Never heard of the Dublin Core Metadata Initiative (DCMI), but now I am aware of it!

However, core.xml did not reveal my "core" question, which is can one definitively state that "~$" temporary files are only created as the result of an end user manually opening a Word file, or can these "~$" temporary files be created as the result of a system event, virus scan, or other indirect actions.

I analyzed all the Windows event log files available to see if I could find something contemporaneous with the creation of "~$" files, but but nothing has jumped out at me. Next I am going to look at PreFetch files. I also ran Autopsy to create a timeline but have not analyzed the Autopsy timeline yet (to see what other files are changing at the time a "~$" file is created).

Here is the core.xml file contents

<?xml version="1.0" encoding="UTF-8" standalone="true"?>

-<cpcoreProperties xmlnsxsi="http//www.w3.org/2001/XMLSchema-instance" xmlnsdcmitype="http//purl.org/dc/dcmitype/" xmlnsdcterms="http//purl.org/dc/terms/" xmlnsdc="http//purl.org/dc/elements/1.1/" xmlnscp="http//schemas.openxmlformats.org/package/2006/metadata/core-properties"&gt;

<dccreator>Clark Kent</dccreator>

<cplastModifiedBy>Microsoft account</cplastModifiedBy>

<cprevision>5</cprevision>

<dctermscreated xsitype="dctermsW3CDTF">2014-11-05T041600Z</dctermscreated>

<dctermsmodified xsitype="dctermsW3CDTF">2014-11-05T043300Z</dctermsmodified>

</cpcoreProperties>

 
Posted : 13/11/2014 6:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The issue with your question is that it is not a "valid" one.

What we know are these info

  1. every time Word opens a .docx file it creates a "temporary copy" of it with the first two letters of the filename "~$"
  2. every time Word closes a .docx file, it deletes the corresponding "~$" .docx file
  3. the "~$" docx file has the "hidden" attribute and thus it is "normally" not seen by the user (unless the option to show hidden files is selected in - say -Explorer)
  4. if Word for whatever reasons crashes, the "~$" .docx is not deleted (but still it remains hidden)
  5. like any other file that is deleted, unless the sectors that it occupied are overwritten the file is undeletable
  6. [/listo]

    Since the .docx file format consists in a "plain enough" assembly of .xml files inside an (also "plain enough") .zip archive, it is entirely possible (and actually fairly easy, at least for simple docs) to create such files, so it is impossible to say that a particular "~$"file has been actually written by Word, BUT (and this is NOT a "full" answer to your question) it is very unlikely that any other tool/program will behave like that, and there are NOT (AFAIK) antivirus/system tools that do that.

    If you prefer, the creation of those "~$" .docx is a known feature of Word, as a matter of fact an "essential part" of it's working and as such it is very likely that each and every "~$" .docx that you will be able to find/recover were created by Word opening (or creating) a corresponding "normally named" file.

    jaclaz

 
Posted : 13/11/2014 7:51 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Extremely helpful information!

I now understand and agree with your assessment that my original question was not valid. Basically, one can state that these ~$ sign files creation dates correspond with the time that a user opened up the corresponding Word file.

Actually, can one go further to state that the creation dates of ~$ files are reasonable evidence of the corresponding program being run in the absense of other supporting evidence? In other words, I always look to Windows event log files, prefetch files, MAC dates surroumding the program executable, and registry entries related to the program I am analyzing usage history for.

Simply carving for ~$ files and sorting them in chronological order to build a timeline of when an Office program was run seems much more straight forward.

Having said that, I still find analysis of Windows event logs very helpful to recover activities such as printing that may follow chronologically the opening of a Word file for example. Also, I use the event files to help determine which user or users were logged into a system at the time potentially relevant activity occurred, what network(s) the computer was contemporaneously attached to. I could find no contemporaneous browser activity, cloud storage access and mail client activity and saw nothing occurring around the ~$ creation date and time.

In my real life case this question is related to, I have found no other activity preceding, during or following the creation dates of the ~$ files in question, so I cannot state from a forensic standpoint what may have been done with the opened Word files

I am going to look at where clipboard information is stored next in case content from the opened Word file was copied, for example.

My research has shown that Microsoft only guarantees some date stamps by plus or minus two hours, so I expanded the window of "concurrent" activity to the opening of the Word file by that amount but still came away empty handed.

 
Posted : 13/11/2014 8:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Basically, one can state that these ~$ sign files creation dates correspond with the time that a user opened up the corresponding Word file.

Yep ) .
And it is very likely that you can also find (in full or "traces of") the corresponding "normally named" .docx file.

Actually, can one go further to state that the creation dates of ~$ files are reasonable evidence of the corresponding program being run in the absense of other supporting evidence? In other words, I always look to Windows event log files, prefetch files, MAC dates surrounding the program executable, and registry entries related to the program I am analyzing usage history for.

To me they are.

In the sense that surely whenever a file is opened in Word such a file is created, whilst there is no reason why any other artifact should be shown in the Windows Event logs or - for that matters - anywhere else.

I mean, let's say that a (mad) user starts the Word program monday morning when he gets to his office PC and then never closes it, nor switches the PC off until friday evening.

Which other traces of the usage of the program during the week (unless Word for whatever reasons crashes and is restarted) could you find (if not these ~$xxxx.docx files)?

jaclaz

 
Posted : 13/11/2014 9:28 pm
Share: