In looking at office documents i.e word, excel etc, what would you guys look for to determine if its been altered in between the final receipient and original author?
In my situation, I've an excel file on CD which is believed to have been altered prior to been burnt.
I've googled and reused scripts that extract the metadata from office documents as well as the dsofile utility from MS. At this stage, from the metadata i've extracted, theres not enough evidence to suggest its been changed. Besides toggling the privacy box in options for excel which excludes the authors details, is there a way that metadata such as "last saved date" can be doctored or in this case, excluded from the document?
Simplest beginning If you have access to the original, compare hashes, if the same no alteration. If different, there has been alteration of some kind even if reverted to look like original. In that case dig into metadata.
I wish we had the original. If we had the original, there'd be no issues.
Like i've mentioned before I've extracted what metadata I could. Question is.. can metadata (dates) be doctored.
I've seen tools like iscrub that can remove metadata. I have heard there are some that can alter parts or remove just some bits, but I have never run across them or experimented with them.
We'll leave this for someone who has. You must not have access to the machine the cd was burned from?
unfortunately not.
all i've got to work with is just a cd with a financial statement where some of the figures seem odd.
at the moment im running a series of tests by modifying the statement and reburning it to cd to see if i can remove any details of me making the changes..
You may want to look at the CD to see if there are any previous sessions that may have an earlier copy of the file.
Alan
Like i've mentioned before I've extracted what metadata I could. Question is.. can metadata (dates) be doctored.
I forgot to mention that metadata can be doctored and it should not be trusted on its own without supporting evidence. there are several programs that can delete metadata to varying degrees. It can also be changed with a hex editor.
Alan
As illustrated by my Perl module to extract metadata from Word documents, there is metadata contained in the binary header of the document that is not part of the OLE streams. This information is usually managed by the application, and can be easily parsed. I'd suggest that you look for information on the binary format of Excel documents (I believe the word BIFF may be useful in your searches) and see what's there.
Perhaps if you had access to the computer (HardDrive) on which the origional was created AND access to the computer on which you think it was doctored AND access to the Computer that Burnt the CD.
Maybe you could varify if there was a modification to the file that way by comparing accesses to the file, or chached tmp files (autosave).
But…for me with excell there are plenty of times I just open a file read something and close it; and MS EX in its infinite wisdom asks me to "save changes?" Even though I didn't change anything.
It could be possible for someone to open an excell file and save with actualy changing and of the Data content…
Just thinking out loud…
Skip