Join Us!

File Header for Wor...
 
Notifications
Clear all

File Header for Word Documents - Dates & Times  

  RSS
novadonuk
(@novadonuk)
Junior Member

Hi,

Im looking into a possible email harrasement case. And the email seems to have been editied in a word package.
The question is, can I possibly extract the date from the file header or not? As this is the major point I need help with …

Look forward to receiving some feedback, Cheers.

ps, only have access to a DVD not HDD

Quote
Posted : 24/05/2006 3:11 pm
samr
 samr
(@samr)
Active Member

That is simply the file identifier which identifies the file as a Microsoft office/visio file that alone has no date or time information. Two things you could try

1) Look for the footer F4 39 B2 71 (00 00) and reconstruct the file simply examining the metadata contained.

2) If only a slither of information is still present then you may have to manually go through the hex looking for remaining metadata.

ReplyQuote
Posted : 24/05/2006 4:30 pm
arashiryu
(@arashiryu)
Active Member

Extract MetaData for the word document.

ReplyQuote
Posted : 24/05/2006 6:35 pm
novadonuk
(@novadonuk)
Junior Member

Can you explain how I interpret the metadata please? I am interested specifically in creation and modification dates for a raw file recovered during a header search. Is this data in a particular format, and if so where would I expect to see it, as part of the header, footer or somewhere else?

Regards

ReplyQuote
Posted : 24/05/2006 6:42 pm
samr
 samr
(@samr)
Active Member

Well the time stamps associated with files are slightly different, such information is held within the MFT (assuming NTFS). Assuming it's a file then you would need backtrack the location to the MFT.

In terms of metadata of word documents this includes creation date, last saved time, revision information etc. Something like Metadata Assistant should be able to help you easily interpret this.

ReplyQuote
Posted : 24/05/2006 6:58 pm
manuld
(@manuld)
New Member

Do you have the word document or the email message? What type of email package is it?

If you have the document try here

http//cert.uni-stuttgart.de/archive/bugtraq/2002/11/msg00206.html

ReplyQuote
Posted : 24/05/2006 9:17 pm
arashiryu
(@arashiryu)
Active Member

I have used metadata asst. successfully in the past. The output is reader friendly.

Please note that there are also programs that support metadata removel. Hopefully that was not run on the doc.

ReplyQuote
Posted : 24/05/2006 11:01 pm
rkamens
(@rkamens)
Junior Member

deleted

ReplyQuote
Posted : 25/05/2006 4:09 am
novadonuk
(@novadonuk)
Junior Member

Hey guys, and gals.

Thanks for ya help. eventually I was able to use a program called Catalogue Metadataminer, it interogated 10 files at a time, but there was only one that needed interrogating. Through extracting the information from the disk to a new word document, the metadata was still in tact and produced good results it seems.

So thanks again,

Cheers.

ReplyQuote
Posted : 16/06/2006 1:38 pm
Share: