±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 36595
New Yesterday: 5 Visitors: 171

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Forensics on Word document: revision numbers question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

investigative-me
Newbie
 

Forensics on Word document: revision numbers question

Post Posted: Jan 15, 20 18:11

This is related to my other posted question. Same parties, here I have Word, though.

I have a Word document based on a template which was sent by an "Official Person" to two parties. This Word document is a new fresh document (0 minutes editing time) and thus a copy/paste from the document used to create it. It can be presumed this was done to wipe the tracked changes and authors. Importantly, this document shows it is "Revision number: 2".

The Word document's XML shows multiple edits and what seems to be different authors from the copy/paste.

Now comes the question:

One of the parties replied to the document with tracked changes. This document however still shows "Revision number: 2".

As the second party, I make a tracked change to the document emailed by the Official Person and it amends it to "Revision number: 3". Same if I amend the document from the other party, it goes to revision number 3.

Let's call this other party "Unauthorised Person". How can that person have edited the document with tracked changes but the revision number didn't incrementally increase? Could it be that the Unauthorised Person had a copy of the document from the Official Person beforehand and amended revision number 1, or is it that the Unauthorised Person had in fact already edited the document and therefore the revision number didn't incrementally increase?

I have other documents in Word format from the Unauthorised Person and the Official Person to compare.

I am looking to prove that the Word document was in fact already edited by the Unauthorised Person, illegally working together with the Official Person.

Interestingly, it seems that the Unauthorised Person and the Official Person use different versions of Word.

Any help is most welcome.  
 
  

investigative-me
Newbie
 

Re: Forensics on Word document: revision numbers question

Post Posted: Jan 15, 20 21:26

I have some more digging and am looking for anyone with experience with ENDNOTES.XML in the OOXML file.

Referring to the above:

- the Official Person's document is revision 2 and was made with Word version w14 wp14.

- the Unauthorised Person's document is also revision 2 and was made with Word version w14 w15 w16se w16cid wp14.


When I take the Official Person's document and add tracked changes, I get a revision 3 with Word version w14 w15 w16se w16cid wp14.

When I take the Unauthorised Person's document and add tracked changes, I get a revision 3 with Word version w14 w15 w16se w16cid wp14.

My conclusion: Both I and the Unauthorised Person have a newer version of Word, the Official Person has Word 2010 only.

Now, it gets interesting:

In ENDNOTES.XML the Official Person has:

-<w:endnote w:id="-1" w:type="separator">
-<w:p w:rsidP="00704EC3" w:rsidRDefault="00BF4354" w:rsidR="00BF4354">

The Unauthorised Person has:

-<w:endnote w:id="-1" w:type="separator">
-<w:p w:rsidP="00704EC3" w:rsidRDefault="000620CE" w:rsidR="000620CE">


Note: the rsidP (Paragraph) is the same in both, but the other two are different.


Now, if I take the Official Person's version and add tracked changes as stated above, then I get:

-<w:endnote w:id="-1" w:type="separator">
-<w:p w:rsidP="00704EC3" w:rsidRDefault="00BF4354" w:rsidR="00BF4354"


Note: I retain the Official Person's hex values.


Now I take the Unauthorised Person's version and add tracked changes, I end up with:

-<w:endnote w:id="-1" w:type="separator">
-<w:p w:rsidP="00704EC3" w:rsidRDefault="000620CE" w:rsidR="000620CE"

Note: I retain the Unauthorised Person's hex values.


My hypothesis: based upon this and upon the revision number not increasing from the Official Person's to the Unauthorised Person's version is that the Unauthorised Person made the tracked changes to revision number 1 not revision number 2 as I did in both cases.

This would lead to the conclusion that revision number 1 was in fact written in the later version of Word and the values were changed when the docx file was "downgraded" to Word 2010. The backwards compatibility of Word however didn't then change this value when I amended and saved the Word 2010 version.

in simple terms, the two revision number 2 documents stem from the identical text revision number 1, but that was created on a newer version of Word.

If anyone can recommend additional ways in the XML to confirm, prove or refute this hypothesis, please help.

Thank you.  
 

Page 1 of 1