Forensics on Word d...
 
Notifications
Clear all

Forensics on Word document: revision numbers question

2 Posts
1 Users
0 Likes
858 Views
(@investigative-me)
Posts: 4
New Member
Topic starter
 

This is related to my other posted question. Same parties, here I have Word, though.

I have a Word document based on a template which was sent by an "Official Person" to two parties. This Word document is a new fresh document (0 minutes editing time) and thus a copy/paste from the document used to create it. It can be presumed this was done to wipe the tracked changes and authors. Importantly, this document shows it is "Revision number 2".

The Word document's XML shows multiple edits and what seems to be different authors from the copy/paste.

Now comes the question

One of the parties replied to the document with tracked changes. This document however still shows "Revision number 2".

As the second party, I make a tracked change to the document emailed by the Official Person and it amends it to "Revision number 3". Same if I amend the document from the other party, it goes to revision number 3.

Let's call this other party "Unauthorised Person". How can that person have edited the document with tracked changes but the revision number didn't incrementally increase? Could it be that the Unauthorised Person had a copy of the document from the Official Person beforehand and amended revision number 1, or is it that the Unauthorised Person had in fact already edited the document and therefore the revision number didn't incrementally increase?

I have other documents in Word format from the Unauthorised Person and the Official Person to compare.

I am looking to prove that the Word document was in fact already edited by the Unauthorised Person, illegally working together with the Official Person.

Interestingly, it seems that the Unauthorised Person and the Official Person use different versions of Word.

Any help is most welcome.

 
Posted : 15/01/2020 6:11 pm
(@investigative-me)
Posts: 4
New Member
Topic starter
 

I have some more digging and am looking for anyone with experience with ENDNOTES.XML in the OOXML file.

Referring to the above

- the Official Person's document is revision 2 and was made with Word version w14 wp14.

- the Unauthorised Person's document is also revision 2 and was made with Word version w14 w15 w16se w16cid wp14.

When I take the Official Person's document and add tracked changes, I get a revision 3 with Word version w14 w15 w16se w16cid wp14.

When I take the Unauthorised Person's document and add tracked changes, I get a revision 3 with Word version w14 w15 w16se w16cid wp14.

My conclusion Both I and the Unauthorised Person have a newer version of Word, the Official Person has Word 2010 only.

Now, it gets interesting

In ENDNOTES.XML the Official Person has

-<wendnote wid="-1" wtype="separator">
-<wp wrsidP="00704EC3" wrsidRDefault="00BF4354" wrsidR="00BF4354">

The Unauthorised Person has

-<wendnote wid="-1" wtype="separator">
-<wp wrsidP="00704EC3" wrsidRDefault="000620CE" wrsidR="000620CE">

Note the rsidP (Paragraph) is the same in both, but the other two are different.

Now, if I take the Official Person's version and add tracked changes as stated above, then I get

-<wendnote wid="-1" wtype="separator">
-<wp wrsidP="00704EC3" wrsidRDefault="00BF4354" wrsidR="00BF4354"

Note I retain the Official Person's hex values.

Now I take the Unauthorised Person's version and add tracked changes, I end up with

-<wendnote wid="-1" wtype="separator">
-<wp wrsidP="00704EC3" wrsidRDefault="000620CE" wrsidR="000620CE"

Note I retain the Unauthorised Person's hex values.

My hypothesis based upon this and upon the revision number not increasing from the Official Person's to the Unauthorised Person's version is that the Unauthorised Person made the tracked changes to revision number 1 not revision number 2 as I did in both cases.

This would lead to the conclusion that revision number 1 was in fact written in the later version of Word and the values were changed when the docx file was "downgraded" to Word 2010. The backwards compatibility of Word however didn't then change this value when I amended and saved the Word 2010 version.

in simple terms, the two revision number 2 documents stem from the identical text revision number 1, but that was created on a newer version of Word.

If anyone can recommend additional ways in the XML to confirm, prove or refute this hypothesis, please help.

Thank you.

 
Posted : 15/01/2020 9:26 pm
Share: