Not sure if this is even possible, but you never know…a lot of smart people here 😉
I have an email (that I received) with an attachment (Word document), and I need to find the original creation date of that Word document. As you all know, once you attach a document, the creation date (for that attachment) is changed to the date when the email was created/sent.
Thanks in advance for your input and assistance.
Depending on the version of Word used to create the document, you may be able to extract OLE metadata
http//
This is covered in the book, "Windows Forensic Analysis".
I have used a tool called metedata assistant to extract the metadata of RTF files. You may also find that the demo version of FTK will do the job for free.
Keydet89 thanks for the link, I ran the perl script, and even thought the creation date still showed the one that was punched when it was attached to the email, it provided other metadata that will come in handy.