I been set a challange by my supervisor to find out if there is a definate way of finding out the real date & time of a document. Looking at the properties of the document doesnt prove it to be correct.
any views?
birch39.
I would use either Payne's Metadata Assistant or Metadataminer Catalogue to verify the internal metadata. The external metadata is more easily modified than the internal metadata and can show varying dates/times from the internal metadata.
When ever a Word document is open, there is a temp file in the same directory. It is automatically deleted, but if you can find it gives another date to play with. Any information could be useful.
A deleted temp file is harder to tamper with if someone wants to change the date of a document - but there again, it may well have been overwritten
What kind of document? I can see that others have assumed that the document in question is an MS Office Word document…but is that what you're referring to?
When ever a Word document is open, there is a temp file in the same directory. It is automatically deleted, but if you can find it gives another date to play with. Any information could be useful.
A deleted temp file is harder to tamper with if someone wants to change the date of a document - but there again, it may well have been overwritten
Agreed. One other point. If a document is contained as an attachment in an Outlook/Exchange message and it is opened and remains open after the enclosing message is closed, the TEMP file will persist on the file system (at least with most versions of Outlook on XP). If the application used to view the attachment is closed, first, it will not persist.
As you noted, this is not definitive for the actual document dates and times but it can be another, useful, data point.
I been set a challange by my supervisor to find out if there is a definate way of finding out the real date & time of a document. Looking at the properties of the document doesnt prove it to be correct.
any views?
Just a question what *is* the real date and time of a document? That is, how do you define real in this context?
I been set a challange by my supervisor to find out if there is a definate way of finding out the real date & time of a document. Looking at the properties of the document doesnt prove it to be correct.
any views?
Just a question what *is* the real date and time of a document? That is, how do you define real in this context?
What do you mean with *Real* time? I think you should refer to MACE time analysis to see the last Modified, Access, Created and Entry Modified time. Which time are you looking for? There are 8 different timestamps within a file (have a look at $MFT file and you will see)
Have you started with OLE stream, link files and meta analysis?
Check out Paul Sanderson's
LinkAlyzer - http//
OleDeconstruct - http//
And Windows Forensic Analysis - PERL scripts on DVD
Also depends on file system and OS.