Last Printed Metada...
 
Notifications
Clear all

Last Printed Metadata

8 Posts
5 Users
0 Likes
4,550 Views
Batfink
(@batfink)
Posts: 5
Active Member
Topic starter
 

Under what circumstances would you possibly find the last printed date to be before the metadata creation date of a Word Document?
Obviously if the local clock was inaccurate for either of these 2 events, but other than that?
Its possible these Word files were created from PDF's - could this account for it?

 
Posted : 09/03/2017 5:04 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Can you share some context?

What version of Windows are you looking at? What is the version of Word? Is the document OLE format, or the newer PK/XML format? What are you using to retrieve the data?

Thanks.

 
Posted : 09/03/2017 7:03 pm
Batfink
(@batfink)
Posts: 5
Active Member
Topic starter
 

The version of Windows is unknown as the files are in isolation. Version 2010 and 2013 of Word were used to create the files using the xml structure file type.
The metadata is visible from the files properties in Windows on my forensic box and is also confirmed by viewing the files in both X-Ways and FTK.

 
Posted : 09/03/2017 7:22 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Great, thanks for the response.

Without context, however, it's difficult to do much more than simply provide possibilities and "maybes".

 
Posted : 09/03/2017 9:49 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

I can replicate that without context.

I created a Word document, printed it, saved it as a template (.dotx). Closed word.

I re-opened Word, created a new document based on the template, saved this as a document (.docx). Closed Word.

The metadata shows the Last Printed 2 minutes before the Created date.

Cool.

PS You dont even have to do templates - if a Word document has already been printed and you SAVE AS to a new file, then the Created timestamp becomes the time you Save As and the Last Printed metadata remains the same (it's not erased/wiped out by the Save As operation).

 
Posted : 10/03/2017 12:11 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Move document from drive X to Y, creation date updates for the new drive, printed date stays the same.

Windows API can be used to set any normal filesystem timestamps, can be done with one line of code in .NET.

 
Posted : 10/03/2017 1:27 am
(@lcherne)
Posts: 9
Active Member
 

Under what circumstances would you possibly find the last printed date to be before the metadata creation date of a Word Document?

This can depend on the version of Word.

Some ideas from Corey Harell's posts in this thread http//www.forensicfocus.com/Forums/viewtopic/p=6567921/

One scenario linked from the thread includes

Document Printed then Saved as new document

 
Posted : 10/03/2017 8:36 am
Batfink
(@batfink)
Posts: 5
Active Member
Topic starter
 

Thank you very much for your responses. I had thought that a 'save as' with a different name still retained the originating creation date, but no as you state - certainly with Word 2010 it does not.
Thank you.

 
Posted : 10/03/2017 1:27 pm
Share: