File Header for Word Documents - Dates & Times

That is simply the file identifier which identifies the file as a Microsoft office/visio file that alone has no date or time information. Two things you could try

1) Look for the footer F4 39 B2 71 (00 00) and reconstruct the file simply examining the metadata contained.

2) If only a slither of information is still present then you may have to manually go through the hex looking for remaining metadata.

Extract MetaData for the word document.

Can you explain how I interpret the metadata please? I am interested specifically in creation and modification dates for a raw file recovered during a header search. Is this data in a particular format, and if so where would I expect to see it, as part of the header, footer or somewhere else?

Regards

Well the time stamps associated with files are slightly different, such information is held within the MFT (assuming NTFS). Assuming it's a file then you would need backtrack the location to the MFT.

In terms of metadata of word documents this includes creation date, last saved time, revision information etc. Something like Metadata Assistant should be able to help you easily interpret this.

Do you have the word document or the email message? What type of email package is it?

If you have the document try here

http//cert.uni-stuttgart.de/archive/bugtraq/2002/11/msg00206.html

I have used metadata asst. successfully in the past. The output is reader friendly.

Please note that there are also programs that support metadata removel. Hopefully that was not run on the doc.

deleted

Hey guys, and gals.

Thanks for ya help. eventually I was able to use a program called Catalogue Metadataminer, it interogated 10 files at a time, but there was only one that needed interrogating. Through extracting the information from the disk to a new word document, the metadata was still in tact and produced good results it seems.

So thanks again,

Cheers.