Hello,
I’m working on a forensic case and I got stuck – perhaps there’s someone who could help me?
I have to prove that a certain document was created and printed on a special PC (Win XP, SP2 + Network printer) on a special date (in February 2006).
The “bad guy†has deleted the relevant file (est. 2 months ago – no chance for recovery) or saved it on an USBstick.
I’ve found fragments of this document (UNICODE text, I suppose a WORD doc) in the following areas
- FreeSpace / SlackSpace
- Pagefile.sys
- Non recoverable spool files in \system32\spool\PRINTERS
- Non recoverable link files in \Documents & Stettings\Application Data\Microsoft\Office\Recent
- Non recoverable backup files, e.g. *.asd Files from Word
So I do not have any Metadata of the Word file or MAC-Times.
Has anybody an idea how proof the “creation / last print†date of this document, only from the above listed information?
Thanks for your help!
HVS,
I think I understand what you're looking for, but to be honest, I'm not clear on the supporting information.
You're looking for evidence that a document was created on and last printed on a specific system…is this correct?
What I find confusing is
> I’ve found fragments of this document (UNICODE text, I suppose a
> WORD doc) in the following areas
Was this based on a text search? How many fragments of the file have you found? Did you find anything that includes Word document embedded metadata?
> - Non recoverable link files in \Documents & Stettings\Application
> Data\Microsoft\Office\Recent
What I'm confused about here is…what does "non recoverable" mean? You can't "recover" the LNK files?
Have you considered looking in the Registry? I'd look in the following key in the HKEY_USERS hive for the user in question
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
I'd also consider looking in this Registry key, as well
\Software\Microsoft\Office\{version}\Common\Open Find\{product}\Settings\Open\File Name MRU
Of course, this assumes that you know the name of the file.
Additionally, you mentioned the USB stick…did you find evidence of this stick in the Registry? Did the stick have a serial number?
Harlan
Hello Harlan,
Thanks for your quick response!
You’re right I’m looking for evidence that a document was created/modified on and last printed on a specific system.
The text fragments I’ve found were based on a text search. I’ve got a hardcopy printout of the relevant document and so I created a keyword-list. I’ve found estimate 10 fragments of this text at different locations (as I’ve written before, e.g. slack space, pagefile.sys, spool directory and so on).
No, I didn’t find any metadata of Word - but I assume the document was written in Word because of two hits in my text search there was listed a Word document filename next to the relevant text fragment. I’ve also found a non recoverable corresponding Word backup file (.asd file).
Regarding all the the non recoverable files I’ve found the path to these files (lnk, asd, spl files -which equals to the file name I’ve found at the text fragments) in some files called “change.log.xxx†in \System Volume Information\_restore{…}. I’m not sure, if I could use this information. Could you please explain me more details about these change.log.xxx files in the \_restore path?
Thanks for your hint with the two registry keys. The second key I didn’t know. But unfortunately I’m not lucky – to much time is gone. We estimate that the “bad guy†has printed the document est. 8 weeks ago…
The mentioned USB stick was only an assumption that the “bad guy†perhaps used an USB stick to save the document on it and used the specific system only for printing…
I’m looking forward to your further answers, thanks!
HVS,
I'd like to help, but you're not answering my questions. I asked you, "…what does "non recoverable" mean?", and I still don't know.
With regards to the system restore information you found, these have to do with the XP Restore Points, which allow the system to be "rolled back" to a previous configuration.
"But unfortunately I’m not lucky – to much time is gone."
Okay…I'm not sure what that has to do with anything, but fine.
"The mentioned USB stick was only an assumption…"
Okay, but did you check the image to see if a USB removable storage device of any kind had been attached? I mean, all it takes is a quick check and you can move from an "assumption" to a known fact either way.
Harlan
Harlan, I suspect what he's seeing are the file names of files that have been overwritten. I've found that is often the case with spool files on XP systems. They are overwritten long before their MFT entries are.
You may want to search for those file names in the index.dat files within the history folders. If the files were opened from Windows Explorer there will be an entry. The first characters of the path of such an entry will always be "file///". The first characters of the entry will always be "URL". From the "U" in URL count forward 8 bytes. The next 8 bytes (9-16) will be the last visited time and the next 8 (17-24)the file created time. They are encoded in windows date format.
In this case these should both be the same and will both reference the time the file was opened. Do note however that the first time will be the local machine time, while the second will be GMT.
If you want to follow this approach be sure and check the index.dat file in every history folder. Of course you are relying on the file name and path only to identify the file.
