Discrepancy in Word Document Dates

Document Birth Time (embedded in the document) 10/06/2012 1139 am GMT
Created Date on local Disc 10/06/2012 1019 am BST

GMT vs. BST?

"Document birth time" is an "unusual" field name, which tool (if any) did you use to get this info?

Can you provide a screenshot similar to this one (with sensible/reserved data - if any - redacted)
http//web.cs.du.edu/~mitchell/forensics/information/ms_office_meta.png

The above tool is not for the actual .docx format, you may be using another GUI tool, but the actual data is in
\docprops\core.xml
and should look like
<cplastPrinted>2009-10-29T085900Z</cplastPrinted>
<dctermscreated xsitype="dctermsW3CDTF">2012-03-05T180700Z</dctermscreated>
<dctermsmodified xsitype="dctermsW3CDTF">2013-05-23T183900Z</dctermsmodified>

jaclaz

I am suspecting a deliberate system time change or use of timestamp altering tools. Could there be any other explanation?

I was going to wait for a response to jaclaz's post, but this statement struck me.

Do you have any information or artifacts to support either theory at this point? Do you have anything that suggests that the system time was changed, or that a time stamp altering tool had been used?

I think that too often, we may gravitate toward the easy answer, even though it is often equally easy to verify, confirm or even rule that answer out completely.

I am Sorry,

By Document Birth Time I meant the time stamp embedded within the word document at the time of creation and

Created Date on local disc - the time-stamp when it was first saved, copied, moved to the new volume.

I used the term 'Document Birth Time' to simply differentiate between the two created times.

As shown in your example 'Document Birth Time' will be the created time in 'OLE Metadata' and Created Date on Local Disc is 'File System Metadata'

Hope that clarifies everything.

Cheers.

Hi jaclaz,

Yes, the created date i.e. Document Birth Time was found from core.xml inside <dctermscreated xsitype="dctermsW3CDTF"></dctermscreated>

The Other date is the date associated with the file system.

Hi keydet,

At this point I am not arriving at any conclusion(s).

I am just trying to gather all possible explanation which could have resulted in the file-system time being older than the created time in core.xml

I also forgot to mention, this file is on a pen drive.

The only viable explanation that I can think of is that the document could have been originally created on a different machine which had a wrong date/time and then later copied on to the target system. Also this file is on a pen drive and the author of the document is the owner of the target pc.

The only viable explanation that I can think of is that the document could have been originally created on a different machine which had a wrong date/time and then later copied on to the target system. Also this file is on a pen drive and the author of the document is the owner of the target pc.

This is possible, but the date is the same, and the difference is exactly 120 (but you did not provide the "full" time, i.e. the actual string in the .xml , which also includes seconds and as well the filesystem date may include seconds).
The time in a Word document is stored as UTC (or GMT).
You stated how the filesystem (is it FAT 16 FAT 32 or NTFS?) reports the the time as BST (that is +1 from GMT).
So, the 10/06/2012 1019 am BST from the filesystem would translate to 10/06/2012 919 am GMT, increasing the time difference to 220 when compared to 10/06/2012 1139 am GMT

If the actual seconds are available in both sources (.docx metadata and filesystem) and they are the same, I would think more at the system (or one of the two systems) having had a manual time change, or at some kind of manual editing of the file, as it is unlikely (possible, but unlikely) that someone manages to repeat an action at an "even" number of seconds, even scheduled tasks have often a few seconds difference in execution.

I would also check the other two date/times normally available from the filesystem, modified and accessed, to see how they compare with the "created".

jaclaz

Since docx actually has format of zip, you can also check the timestamp that is in the zip header.

Thank you very much jaclaz.

This is possible, but the date is the same, and the difference is exactly 120 (but you did not provide the "full" time, i.e. the actual string in the .xml , which also includes seconds and as well the filesystem date may include seconds).
jaclaz

If am right the word document doesn't store the second value in the xml string. I have seen numerous .docx files all with the time value as hhmm00Z.

Yes, the filesystem timestamp does have the second value. I can't remember it now, but since word document doesn't store the second value it thought considering the seconds value would be irrelevant.

The time in a Word document is stored as UTC (or GMT).
jaclaz

Yes, since it is a .docx file time-stamp is store as UTC.

You stated how the filesystem (is it FAT 16 FAT 32 or NTFS?) reports the the time as BST (that is +1 from GMT).

jaclaz

The filesytem on the target pc is NTFS, whereas the filesystem on the pen drive (where the document was found) is FAT32.
The time on the target system is BST

So, the 10/06/2012 1019 am BST from the filesystem would translate to 10/06/2012 919 am GMT, increasing the time difference to 220 when compared to 10/06/2012 1139 am GMT
jaclaz

I also noted the same.

I can't remember the other date at the moment. If I remember correctly the last modified time was exactly 1hr diffrent. (UTC/BST) i.e. the time in document metadata in UTC and time on file-system in BST.

So, I strongly suspect some form of manual manipulation. I will have to dig deeper.

Can anyone think of any reason as to why the Created Date on the disk is earlier than the Document Birth time??

There is a legitimate action for this to occur. I first wanted to clarify something about the document’s “birth” time. The time represents when Word is first opened and not when the file is first saved. So if Word is opened and a new document created. If the document is saved for the first time 3 minutes later then the “birth” time will reflect when word is opened while the filesystem create date reflects when the document was saved. In these instances the “birth” time comes before the filesystem create time.

Another way to create a document is to right click inside a folder and select New -> Microsoft Word document. When this occurs the document has a filesystem create date but the “birth” time is blank. When the document is opened and saved the “birth” time wil reflect when Word was opened. This action will cause the create date on disk to be earlier than the document “birth” time.

For more info about Office metadata check out my cheatsheets. Only thing not reflected is the blank metadata piece.

http//code.google.com/p/jiir-resources/downloads/list

Author name of the document is the Name of the PC that I am looking at. So it could not have originated form a different PC, unless the author name was changed after copying it to target PC

Few things. The author does not change when a document is copied between computers. It’s not even change when the document is modified by a different user (check out my cheatsheets). In general, the author is populated based on the UserInfo key inside the NTUSER.DAT registry hive. If you have their ntuser.dat hive you can check the UserInfo key to see what value it has and use it to compare what is reflected in the document (author and modifier). I’ve been able to tie documents to user accounts in this manner. To see what I mean check out this post

http//journeyintoir.blogspot.com/2011/06/why-is-it-what-it-is.html

Corey Harrell
"Journey Into Incident Response"
http//journeyintoir.blogspot.com