Discrepancy in Word...
 
Notifications
Clear all

Discrepancy in Word Document Dates  

Page 1 / 2
  RSS
subujoseph
(@subujoseph)
Member

Hello Everyone,

I am looking at a single word document (.docx) and I find some discrepancy in timestamps associated with it. Here are the timestamps

Document Birth Time (embedded in the document) 10/06/2012 1139 am GMT
Created Date on local Disc 10/06/2012 1019 am BST

Can anyone think of any reason as to why the Created Date on the disk is earlier than the Document Birth time??

Author name of the document is the Name of the PC that I am looking at. So it could not have originated form a different PC, unless the author name was changed after copying it to target PC.

I am suspecting a deliberate system time change or use of timestamp altering tools. Could there be any other explanation?

I have tested different other scenarios with no luck.

Any will be greatly appreciated.

Many Thanks

Quote
Posted : 24/05/2013 12:03 am
jaclaz
(@jaclaz)
Community Legend

Document Birth Time (embedded in the document) 10/06/2012 1139 am GMT
Created Date on local Disc 10/06/2012 1019 am BST

GMT vs. BST?

"Document birth time" is an "unusual" field name, which tool (if any) did you use to get this info?

Can you provide a screenshot similar to this one (with sensible/reserved data - if any - redacted)
http//web.cs.du.edu/~mitchell/forensics/information/ms_office_meta.png

The above tool is not for the actual .docx format, you may be using another GUI tool, but the actual data is in
\docprops\core.xml
and should look like
2009-10-29T085900Z
2012-03-05T180700Z
2013-05-23T183900Z

jaclaz

ReplyQuote
Posted : 24/05/2013 12:23 am
keydet89
(@keydet89)
Community Legend

I am suspecting a deliberate system time change or use of timestamp altering tools. Could there be any other explanation?

I was going to wait for a response to jaclaz's post, but this statement struck me.

Do you have any information or artifacts to support either theory at this point? Do you have anything that suggests that the system time was changed, or that a time stamp altering tool had been used?

I think that too often, we may gravitate toward the easy answer, even though it is often equally easy to verify, confirm or even rule that answer out completely.

ReplyQuote
Posted : 24/05/2013 12:49 am
subujoseph
(@subujoseph)
Member

I am Sorry,

By Document Birth Time I meant the time stamp embedded within the word document at the time of creation and

Created Date on local disc - the time-stamp when it was first saved, copied, moved to the new volume.

I used the term 'Document Birth Time' to simply differentiate between the two created times.

As shown in your example 'Document Birth Time' will be the created time in 'OLE Metadata' and Created Date on Local Disc is 'File System Metadata'

Hope that clarifies everything.

Cheers.

ReplyQuote
Posted : 24/05/2013 12:49 am
subujoseph
(@subujoseph)
Member

Hi jaclaz,

Yes, the created date i.e. Document Birth Time was found from core.xml inside

The Other date is the date associated with the file system.

ReplyQuote
Posted : 24/05/2013 12:56 am
subujoseph
(@subujoseph)
Member

Hi keydet,

At this point I am not arriving at any conclusion(s).

I am just trying to gather all possible explanation which could have resulted in the file-system time being older than the created time in core.xml

I also forgot to mention, this file is on a pen drive.

The only viable explanation that I can think of is that the document could have been originally created on a different machine which had a wrong date/time and then later copied on to the target system. Also this file is on a pen drive and the author of the document is the owner of the target pc.

ReplyQuote
Posted : 24/05/2013 1:04 am
jaclaz
(@jaclaz)
Community Legend

The only viable explanation that I can think of is that the document could have been originally created on a different machine which had a wrong date/time and then later copied on to the target system. Also this file is on a pen drive and the author of the document is the owner of the target pc.

This is possible, but the date is the same, and the difference is exactly 120 (but you did not provide the "full" time, i.e. the actual string in the .xml , which also includes seconds and as well the filesystem date may include seconds).
The time in a Word document is stored as UTC (or GMT).
You stated how the filesystem (is it FAT 16 FAT 32 or NTFS?) reports the the time as BST (that is +1 from GMT).
So, the 10/06/2012 1019 am BST from the filesystem would translate to 10/06/2012 919 am GMT, increasing the time difference to 220 when compared to 10/06/2012 1139 am GMT

If the actual seconds are available in both sources (.docx metadata and filesystem) and they are the same, I would think more at the system (or one of the two systems) having had a manual time change, or at some kind of manual editing of the file, as it is unlikely (possible, but unlikely) that someone manages to repeat an action at an "even" number of seconds, even scheduled tasks have often a few seconds difference in execution.

I would also check the other two date/times normally available from the filesystem, modified and accessed, to see how they compare with the "created".

jaclaz

ReplyQuote
Posted : 24/05/2013 1:29 am
joakims
(@joakims)
Active Member

Since docx actually has format of zip, you can also check the timestamp that is in the zip header.

ReplyQuote
Posted : 24/05/2013 1:41 am
subujoseph
(@subujoseph)
Member

Thank you very much jaclaz.

This is possible, but the date is the same, and the difference is exactly 120 (but you did not provide the "full" time, i.e. the actual string in the .xml , which also includes seconds and as well the filesystem date may include seconds).
jaclaz

If am right the word document doesn't store the second value in the xml string. I have seen numerous .docx files all with the time value as hhmm00Z.

Yes, the filesystem timestamp does have the second value. I can't remember it now, but since word document doesn't store the second value it thought considering the seconds value would be irrelevant.

The time in a Word document is stored as UTC (or GMT).
jaclaz

Yes, since it is a .docx file time-stamp is store as UTC.

You stated how the filesystem (is it FAT 16 FAT 32 or NTFS?) reports the the time as BST (that is +1 from GMT).

jaclaz

The filesytem on the target pc is NTFS, whereas the filesystem on the pen drive (where the document was found) is FAT32.
The time on the target system is BST

So, the 10/06/2012 1019 am BST from the filesystem would translate to 10/06/2012 919 am GMT, increasing the time difference to 220 when compared to 10/06/2012 1139 am GMT
jaclaz

I also noted the same.

I can't remember the other date at the moment. If I remember correctly the last modified time was exactly 1hr diffrent. (UTC/BST) i.e. the time in document metadata in UTC and time on file-system in BST.

So, I strongly suspect some form of manual manipulation. I will have to dig deeper.

ReplyQuote
Posted : 24/05/2013 3:22 am
corey_h
(@corey_h)
Junior Member

Can anyone think of any reason as to why the Created Date on the disk is earlier than the Document Birth time??

There is a legitimate action for this to occur. I first wanted to clarify something about the document’s “birth” time. The time represents when Word is first opened and not when the file is first saved. So if Word is opened and a new document created. If the document is saved for the first time 3 minutes later then the “birth” time will reflect when word is opened while the filesystem create date reflects when the document was saved. In these instances the “birth” time comes before the filesystem create time.

Another way to create a document is to right click inside a folder and select New -> Microsoft Word document. When this occurs the document has a filesystem create date but the “birth” time is blank. When the document is opened and saved the “birth” time wil reflect when Word was opened. This action will cause the create date on disk to be earlier than the document “birth” time.

For more info about Office metadata check out my cheatsheets. Only thing not reflected is the blank metadata piece.

http//code.google.com/p/jiir-resources/downloads/list

Author name of the document is the Name of the PC that I am looking at. So it could not have originated form a different PC, unless the author name was changed after copying it to target PC

Few things. The author does not change when a document is copied between computers. It’s not even change when the document is modified by a different user (check out my cheatsheets). In general, the author is populated based on the UserInfo key inside the NTUSER.DAT registry hive. If you have their ntuser.dat hive you can check the UserInfo key to see what value it has and use it to compare what is reflected in the document (author and modifier). I’ve been able to tie documents to user accounts in this manner. To see what I mean check out this post

http//journeyintoir.blogspot.com/2011/06/why-is-it-what-it-is.html

Corey Harrell
"Journey Into Incident Response"
http//journeyintoir.blogspot.com

ReplyQuote
Posted : 24/05/2013 4:52 am
keydet89
(@keydet89)
Community Legend

Great response, Corey. Stuff like this needs to be captured.

ReplyQuote
Posted : 24/05/2013 5:58 am
jaclaz
(@jaclaz)
Community Legend

Another way to create a document is to right click inside a folder and select New -> Microsoft Word document. When this occurs the document has a filesystem create date but the “birth” time is blank. When the document is opened and saved the “birth” time wil reflect when Word was opened. This action will cause the create date on disk to be earlier than the document “birth” time.

That would explain nicely the behaviour ) , though it still sounds "unusual".

I mean, if I would first thing in the morning after breakfast, create a word document that way, and not open it immediately (because distracted by a phone call or whatever), then forget about it and go doing other things, when I come back 220 later I will have completely forgotten that .docx and either create a new one or start word "normally" with a new document.

jaclaz

ReplyQuote
Posted : 24/05/2013 3:42 pm
corey_h
(@corey_h)
Junior Member

though it still sounds "unusual".

It’s kinda hard to provide more context than what the OP provided without more information. All of the metadata would have been helpful (sanitized of course) since it can provide additional clues about the document. Other info would be helpful as well to rule out other possible explanations.

I mean, if I would first thing in the morning after breakfast, create a word document that way, and not open it immediately

I now create all my documents in this manner; by right clicking and selecting new. I do it out of laziness; it’s quicker to create the document where I want it instead of having to browse to the location when I save the document. However, it’s hard to project about the activity that occurred based on the information provided.

For example, take the author and modified fields in the metadata. Do they both reflect the same username? If so, does the username tie back to the user account’s NTUSER.DAT file. How about the company value and does it reflect the company name on the computer in question. If any of these questions are no then the document might have been created using a different computer that had the wrong time. Again, it’s a shot in the dark giving the information provided.

There are only a few different ways to create a Word document. Outside the timing issues described, the only way (I currently know of) to create a Word document that results in “the Created Date on the disk is earlier than the Document Birth time” is by right clicking and selecting new document.

Corey Harrell
"Journey Into Incident Response"
http//www.journeyintoir.blogspot.com

ReplyQuote
Posted : 25/05/2013 6:07 am
corey_h
(@corey_h)
Junior Member

only way (I currently know of) to create a Word document.

Alright, my curiousity got the best of me. I was looking at a different way to create a document; using the Save As function. I never tested this before. There is another way to create a document that will result in "the Created Date on the disk is earlier than the Document Birth time". Working on an existing document and then saving it on top of itself using the Save As feature. By on top of itself I mean to don't create a new document. The filesystem create date remains the same while the document "birth" date is when the document was saved.

Corey

ReplyQuote
Posted : 25/05/2013 6:29 am
jaclaz
(@jaclaz)
Community Legend

Alright, my curiousity got the best of me. I was looking at a different way to create a document; using the Save As function. I never tested this before. There is another way to create a document that will result in "the Created Date on the disk is earlier than the Document Birth time". Working on an existing document and then saving it on top of itself using the Save As feature. By on top of itself I mean to don't create a new document. The filesystem create date remains the same while the document "birth" date is when the document was saved.

Corey

That sounds a lot more probable to me. ) (this is something I could do - and actually do sometimes).
Actually being a pendrive, it would make even more sense.
Example

  • you have a file on a pendrive
  • you want to edit/update it and either copy it to internal hard disk or open it from the pendrive and then do a "Save as" on hard disk
  • you then edit the copy on the hard disk, then save it (still on hard disk)
  • you save it again with "Save as" to the pendrive to "synchronize" the edits

Another (open) question, actually possibly Off Topic, we do know that the document is in the .docx format, but nowadays there are tens of tools/apps that can save text in that format, question is, do they all provide the "correct" metadata (in the sense of do they "sign" the document with the app name or do they simply use the same MS strings)?

I.e. till now it was assumed (and surely this is the most common case) that the Word document was actually created by Word, but - especially because it appears on a pen drive, and thus we have no additional info on the system and on programs installed on it - this is not 100% safe to assume.

jaclaz

ReplyQuote
Posted : 25/05/2013 4:19 pm
Page 1 / 2
Share: