Quick question, what are some reasons why an Excel Spreadsheet (.xls) would be showing the last modified date and time before the files created time in the files Meta Data.
Is it possible this file modified but not saved, or saved as a different file?
Thanks
Is it possible this file modified but not saved, or saved as a different file?
Have you tried testing this out? You know, create an Excel spreadsheet, and then modify it without saving it, and saving it as a different file. Have you tried this?
As far as you initial question, I haven't seen anything like this before. I'll ask around.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Some thoughts on why this sort of situation would occur…
If the spreadsheet had been created on another system, or the system time had been modified, this might have occurred.
Did you pull the rest of the metadata from the spreadsheet…like the last 10 authors?
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
I did some testing after the post and here is what I came up with.
I created a spreadsheet on a machine with the current date and time. I then moved it to another machine I had modified the date to January 1 2003. I then checked the Meta Data and it showed today's date as it was on the original machine. I then modified the spreadsheet and saved it again, now what I had was a modified date of Jan 1 2003 and a created date September 14 2005.
So I guess it can be done, as for your comment on the last 10 authors, I am lost on that one, can you share your knowledge on how I could find the author 10 edits ago?
Thanks
Sure…it's covered in my book, but the basics of it can be found here
http//
There's some info from MS here
http//
Basically, the "last 10 authors" is part of the information stored in the document…the "document" referring to an OLE structured storage file like MS Office documents.
There's a script on the CD that comes with my book that pulls metadata from Word documents…minor modifications will allow you to get the same stuff from Excel spreadsheets.
I've also found that the tool Metadata Assistant works pretty well. Have you given that one a shot?
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Harlan,
I came across your book late last night and look forward to reading it in the future. I read a post on a different site once about Metadata Assistant and it sounds good. Have any of these tools stood up in court?
Are there any other ones available that you know are reliable?
Thanks
Reliable and standing up in court tend to be two separate issues.
Most of the tools I've seen will reliably pull the information from the file. You can also run strings.exe, looking specifically for Unicode strings, or FoundStone's BinText. Either way, you'll see the same information within the file as you see with Metadata Assistant and other tools.
As far as standing up in court, I can't say that I've seen where they've been questioned.
Why not focus on the process, rather than the specific tool? After all, if you can show that your process is sound, what does it matter which tool you use?
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
You can use a hex viewer as well. There's a date/time converter available for free from
Please let me know the site for downloading Internet Activity Analyser "PASCO". Since i will be Installing it on Windows2K..are any special instructions to follow?
Please let me know the site for downloading Internet Activity Analyser "PASCO". Since i will be Installing it on Windows2K..are any special instructions to follow?
There's a great new thing out there called "Google". It's a search engine!
Have you tried entering 'Internet Activity Analyser Pasco' into it?