Are there any tools (ideally free) that will identify from within a word document (.doc file) metadata that will tell us where a file has been previously saved and which user edited by?
Any tools you can recommend or manual review techniques would be a good help.
I got my pointers from reading this document
http//
I just wondered if their are any tools that will automate the analysis, and if so what are the best tools called?
Wmd.pl and oledmp.pl, both found on the DVD that accompanies the Windows Forensic Analysis book, replicate what the ComputerBytesMan's tool does.
Both are free, both are open source, and I've used both repeatedly to assist me in my own examinations.
Thanks Keydet89, will your tools also work on .docx
No, they won't. As you're well aware, .docx is not OLE/structured storage format…it's XML and packed/zipped.
No, they won't. As you're well aware, .docx is not OLE/structured storage format…it's XML and packed/zipped.
Yes a tool that could do similar for docx would be great for the forensic community. Theres very little published on docx for forensics. If you have any books or articles that cover these files I will look into buying them.
http//
http//hachoir.org/
See also http//
If you can find someone who is somewhat decent at .net programming they could get that information very easily. If I find time maybe I will put that together for the community unless there is something already out that will gather all the metadata?
Yes a tool that could do similar for docx would be great for the forensic community. Theres very little published on docx for forensics. If you have any books or articles that cover these files I will look into buying them.
There is very little metadata in .docx files compared to .doc files and it is easy to find. Simply unzip the file and use your favorite text editor to read the file docProps/core.xml.
All the metadata is in there.
There is a free OLE deconstructor program on my web site