Hello all,
Without going in to much public detail (legal issues), I was wondering if there is a way to analyse an excel file to see when, how often and what has been changed. Also, if there is a possdibility to uniquely identify a single file.
In general, I suspect person B has been continuously altering a file once received from person A and each time passing it off as issued by person A. So it would help me build my case if (a) I could prove it has been the exact same file used each time and (b) if there would be a way to prove all the alterations.
I am in possesion of the original mail A sent to B with the file attached and 2 files sent from B with what I suspect are altered versions of that file. Our investigation identified dozens more but those are all in PDF format, so of no use.
I have found the rudimentary info saying file made by A at date xx and last altered and printed by B at date xx, but I was hoping to be able to find a lot more...
Â
Thank you in advance for any advice.
Hi Feddie,
Â
Why don’t you generate a hash value of the original file before you send it?Â
You can use SHA256 algorithm for example, get the hash value of the original file, then generate the hash for the second file to confirm whether it is the same or not.Â
If the hash has changed, then you know the file has been altered.Â
You can do this with Powershell fairly easily.Â
Get-FileHash "Path-to-file" -Algorithm SHA256
Hi. Is the file is xlsx, you can rename it in .zip. then you can extract all the XML file and try to investigate
Hi Feddie,
It might help you to take a look at
https://ntnuopen.ntnu.no/ntnu-xmlui/bitstream/handle/11250/198656/EDidriksen.pdf
It is very easy to show that a file has (or has not) been changed if you have the original, and you can easily dismantle a simple Excel spreadsheet file by extracting its components into a folder using an 'unzip' utility.
So I would echo the comments made by earlier posters. But I imagine that *if* a document has been changed *then* you would want to prove that it has been changed deliberately, and presumably detail the changes. That might not be so easy. I guess it could depend on the way the document was created and the specific changes which had been made. Presumably the person making the changes would have an agenda, and that might have a bearing on the issue. If the person is highly technically skilled you could be faced with a tricky problem, but it is *very* difficult to cover all your tracks on today's computers and if you have access to the computers themselves as well as to the documents then I expect there would be little difficulty in finding enough evidence. If you do not have this access then I think there are some questions which I should be asking you to answer to my satisfaction before proceeding very much further. As a general rule forensic examination of a computer will take it out of service for a while.
Not all Excel files are equal. Microsoft gives some guidance on following changes in shared Excel workbooks, see for example
You might want to consider a 'sting' operation in which you send a file which you have created as a shared document especially for your investigation.
Because a simple Excel spreadsheet is essentially a compressed archive containing several files, there will be timestamps on the components (usually more than one) but they may be of no use to you. There will probably be timestamps within one or more of the components themselves, which are essentially XML files. However, all of these things can potentially be "doctored" by someone who is sufficiently skilled.
The reliability of things like the signing and encryption of Excel files has been historically somewhat variable (for example I have decrypted supposedly encrypted Excel files in just a few minutes) so you might struggle to rely on evidence like that in a court of law without expert assistance. Or even with it.
I would also add a question of my own:
Why do you say that the PDF files are of no use?
If there are many more of these than there are spreadsheet files, it might also be that they contain more evidence. It is certainly possible to examine the content of PDF files, to compare them with each other, and (depending on their construction) to dismantle them.
HTH
@ged Hello,
Thanks for the reply and advice. My technical skills are mediocre at best (I have heard of html and have no idea what a hash file is). Although I do work with a lot of programs and have some grasp of the day-to-day functionalities of normal office applications, Excel belongs relatively low on that knowledge scale.
The reason for my PDF statement was indeed the assumption that those were "final" files and thus less likely to contain relevant information. I had not thought of that possibility.
The main reason for me trying to ask the question here was the mistaken idea that there were some possibilities that could be done with low technical or specialized skill. I myself am not the youngest and not brought up on computers like todays youth, my colleague who is doing this investigation with me is but even he was not in his comfort zone with the solutions advised.
My investigation is not yet in the stage of proof that would warrant search and seizure of the computer, and I was hoping involvement of other units could be avoided. However, reading the replies made me realise the flaw in that thinking. I have made an inquiry about my problems to our digital forensics unit, hoping to hear back shortly.
Thank you for the PDF remark, it is a new avenue to look into...