Besides the document metadata, is there any forensic hints that can proves the document is created in the particular exhibit? I found the document, LNK file and text of the document in Content.Word folder. Anybody knows?
It is hard to prove anything in computer forensics particularly in relation to a users actions and much easier to disprove that a user undertook a particular action.
I used to say constantly to investigators that whilst I can prove the existence of a document (or other file) exists (or used to exist) on this device, what I cannot do is prove who put it there and what intent they had in their mind at the time it was done, that was their job.
Evidence like the existence of a document with corroborating metadata is never proof. Ask yourself this Could anyone have created this document in this state on this device without it being done as per my hypothesis? The answer is that a file of any sort is only binary bits on a storage media and a reasonably competent programmer can write a small program to lay any bits on a media in any sequence that they like so the answer will always be that we cannot prove what happened to put this file (or files) on this device.
In UK law there are only two ways to show that this document was put there by a particular person
1) That person admits (without any undue duress) that they put it there.
2) That a jury believes beyond any reasonable doubt that in the circumstances, the person put it there. In order for them to come to such a conclusion they will have regard to any 'expert' testimony which may include an unbiased opinion.
The answer to your question is that no matter what you find in addition to the original document you will only find corroborative evidence, not proof.
Besides the document metadata, is there any forensic hints that can proves the document is created in the particular exhibit?
You might want to clarify your use of the word 'document'. Exactly what do you mean?
Example mr X creates a document, using an old typewriter. Then, it's scanned, OCR'd, and converted into a Word document A.DOC at a later date – possibly with changes, like an extra space here and there. That Word document is later 'Saved As …' using a new file name B.DOC.
Do you have one document there? or two? or three? Do you have the same number of 'document creations'? More? Fewer?
I'm not joking I think the answer to your question to a large extent depends on what you mean by 'a document'.
Athulin,
I am sorry if lack of clarity in my question. Below is my case problem
- I need to identify a particular microsoft office document (.docx) in the exhibit is created on the same exhibit.
- The content of the word document (.docx) is created/typed in the same exhibit.
Overall what i need to do is to show potential evidence supports that the word document (.docx) is created by the suspect in his exhibit. Currently i have the document metadata but it is not enough for the evidence. Im looking for other evidence if exist.
Binarybod,
Appreciate your explanation and now i have a better understanding regarding this question.
There's a few things I would do….just thinking out loud, so no guarantees theyll work
1. what was happening around the create/modified time of the document?
2. what is the metadata of the document, does it match the details that the suspects copy of word embeds in the file (ie author and initial)
3. do registry artifacts show the file has been opened? Mainly surrounding recentdocs and comdlg32. I haven't completed my research yet, but the comdlg32 artifact may indicate whether the item was first "saved as" or "opened" (if another operation is performed later, the record isnt updated…not sure how long the mru items last in the list though).
4. comparison of the lnk file artifacts (target mac times with the mac times of the file, and the volume name/serial/type should match the hard drive you're examining)
Overall what i need to do is to show potential evidence supports that the word document (.docx) is created by the suspect in his exhibit. Currently i have the document metadata but it is not enough for the evidence. Im looking for other evidence if exist.
As you have narrowed it down to that particular file, I don't think you have anything related to it that will help you.
Instead, go by the usual activities in creating a document. For example, it's rarely created in one go – it tends to be edited. Do you have any traces of earlier versions of the document, for example.
And viewed from the opposite corner does the document carry the ADS indicating a download? Or could it be found in an archive file? That might indicate that it actually was imported from outside.
Have you looked at *all* the metadata? Some document management systems add metadata of their own, which may be ignored by some tools. Finding one of those would add information about the life of the document.
I'd probably identify a handful of keywords that seemed document specific, and then search for those all over the disk to see if there was anything interesting.
Some filesystems, like NTFS, may provide historical information about volume.
Object IDs in link files (and the MFT) may (or may not) tell you something. Worth a look though.
http//