Great response, Corey. Stuff like this needs to be captured.
Another way to create a document is to right click inside a folder and select New -> Microsoft Word document. When this occurs the document has a filesystem create date but the “birth” time is blank. When the document is opened and saved the “birth” time wil reflect when Word was opened. This action will cause the create date on disk to be earlier than the document “birth” time.
That would explain nicely the behaviour ) , though it still sounds "unusual".
I mean, if I would first thing in the morning after breakfast, create a word document that way, and not open it immediately (because distracted by a phone call or whatever), then forget about it and go doing other things, when I come back 220 later I will have completely forgotten that .docx and either create a new one or start word "normally" with a new document.
jaclaz
though it still sounds "unusual".
It’s kinda hard to provide more context than what the OP provided without more information. All of the metadata would have been helpful (sanitized of course) since it can provide additional clues about the document. Other info would be helpful as well to rule out other possible explanations.
I mean, if I would first thing in the morning after breakfast, create a word document that way, and not open it immediately
I now create all my documents in this manner; by right clicking and selecting new. I do it out of laziness; it’s quicker to create the document where I want it instead of having to browse to the location when I save the document. However, it’s hard to project about the activity that occurred based on the information provided.
For example, take the author and modified fields in the metadata. Do they both reflect the same username? If so, does the username tie back to the user account’s NTUSER.DAT file. How about the company value and does it reflect the company name on the computer in question. If any of these questions are no then the document might have been created using a different computer that had the wrong time. Again, it’s a shot in the dark giving the information provided.
There are only a few different ways to create a Word document. Outside the timing issues described, the only way (I currently know of) to create a Word document that results in “the Created Date on the disk is earlier than the Document Birth time” is by right clicking and selecting new document.
Corey Harrell
"Journey Into Incident Response"
http//
only way (I currently know of) to create a Word document.
Alright, my curiousity got the best of me. I was looking at a different way to create a document; using the Save As function. I never tested this before. There is another way to create a document that will result in "the Created Date on the disk is earlier than the Document Birth time". Working on an existing document and then saving it on top of itself using the Save As feature. By on top of itself I mean to don't create a new document. The filesystem create date remains the same while the document "birth" date is when the document was saved.
Corey
Alright, my curiousity got the best of me. I was looking at a different way to create a document; using the Save As function. I never tested this before. There is another way to create a document that will result in "the Created Date on the disk is earlier than the Document Birth time". Working on an existing document and then saving it on top of itself using the Save As feature. By on top of itself I mean to don't create a new document. The filesystem create date remains the same while the document "birth" date is when the document was saved.
Corey
That sounds a lot more probable to me. ) (this is something I could do - and actually do sometimes).
Actually being a pendrive, it would make even more sense.
Example
- you have a file on a pendrive
- you want to edit/update it and either copy it to internal hard disk or open it from the pendrive and then do a "Save as" on hard disk
- you then edit the copy on the hard disk, then save it (still on hard disk)
- you save it again with "Save as" to the pendrive to "synchronize" the edits
Another (open) question, actually possibly Off Topic, we do know that the document is in the .docx format, but nowadays there are tens of tools/apps that can save text in that format, question is, do they all provide the "correct" metadata (in the sense of do they "sign" the document with the app name or do they simply use the same MS strings)?
I.e. till now it was assumed (and surely this is the most common case) that the Word document was actually created by Word, but - especially because it appears on a pen drive, and thus we have no additional info on the system and on programs installed on it - this is not 100% safe to assume.
jaclaz
There is another way to create a document that will result in "the Created Date on the disk is earlier than the Document Birth time". Working on an existing document and then saving it on top of itself using the Save As feature. By on top of itself I mean to don't create a new document. The filesystem create date remains the same while the document "birth" date is when the document was saved.
Corey
Thanks Corey. As Jacalz said, this sounds more probable to me as well. It is silly that it didn't occur to me even though I have done the exact thing numerous times.
All your responses were great and the stuff regarding the metadata was good intel. Thank you very much for sharing.