Duplicate Files & Back Dating
Hi everyone, I have a strange situation. I have case where someone may have back dated there system created a doc and then returned the system to the current time. I have one document where it is created on a date in '04 and an exact duplicate of that file created in '05. Both documents match but I'm under the impression that the '05 document was created first.
Using my Encase image with FTK the '05 document is listed as the primary and the '04 is listed as the secondary. I have other signs pointing to something malicious happening, i.e. shortcut (.lnk) files being created before the document ever existed. Does anyone know if FTK primary listing when dealing duplicates mean that this was the first document created. Or can anyone point me in the direction where is to look? I've tried just about every tool to analyze the doc.
…an exact duplicate of that file…
Out of curiousity, what method are you using to determine that the files are exact duplicates? I'm not questioning whether they are or not, simply asking the method that you used to determine that.
With regards to the rest of the post, what is it that you're trying to determine? What are you analyzing? When you say "doc", are you referring to a document in general, or is it a Word document that you're referring to?
What sort of doc file is it? Many of the newer word processing programs implant metadata that will give your more information as to the history of the files produced.
Its a Microsoft Word document and I have a MD5 hash both documents. I'm just trying to see if someone created a document with a back-dated computer system to make it reflect an 04 date instead of 05.
I've checked the metadata using sevral tools like metadat Assistant and Catalogue. The user had metadata Assistant on the computer system and then deleted off of their. I know you can manipulate documents with Metadata Assistant. Thanks.
Does anyone know if FTK primary listing when dealing duplicates mean that this was the first document created.
I am fairly sure that this is just the first copy that FTK came across when adding the data.