Investigating Origi...
 
Notifications
Clear all

Investigating Originality of a Document

9 Posts
6 Users
0 Likes
939 Views
Djzngo
(@djzngo)
Posts: 5
Active Member
Topic starter
 
Investigating Originality of a Document

Hello,

I am looking for as much information possible for investigating originality of documents, word documents specifically. If anyone can share with me some techniques that are currently used when investigating originality, that would be great. I currently have some information on RSIDs within OOXML documents but was wondering what kinds of other approaches I can take?

Any information would be useful

Thank you!

Djzngo

 
Posted : 18/10/2019 9:22 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I am looking for as much information possible for investigating originality of documents, word documents specifically. If anyone can share with me some techniques that are currently used when investigating originality, that would be great. I currently have some information on RSIDs within OOXML documents but was wondering what kinds of other approaches I can take?

Can you describe what you mean by "originality of documents"?

This may not be something that includes "techniques that are currently used", as it may not be a normal or frequent aspect of investigations (in DFIR, specifically…I can't speak to ediscovery).

 
Posted : 21/10/2019 11:06 am
(@pcook8198)
Posts: 20
Eminent Member
 

Approach differs depending upon programme used to create the document and if, for example

The said file is ".doc" or ".docx"

Investigation of a .doc is very time consuming and in-depth with a lot of "FAT" interpretation.

 
Posted : 21/10/2019 12:56 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Investigation of a .doc is very time consuming and in-depth with a lot of "FAT" interpretation.

Can you expand on what you mean by "FAT" (and its interpretation)?

jaclaz

 
Posted : 21/10/2019 2:08 pm
Matt5000
(@matt5000)
Posts: 4
New Member
 

I think it is likely impossible to determine that an Office document is "Original" as that is a relative term and these types of documents are meant to be edited the best you can do is say there is no evidence of alteration, and even that is after a decent amount of investigation. Ultimately, it comes down to the context surrounding the document and whether you have access to computers or storage devices that have interacted with the file.

 
Posted : 21/10/2019 2:56 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Investigation of a .doc is very time consuming and in-depth with a lot of "FAT" interpretation.

While I agree that the approach may differ depending upon the program used to create the document, it might be worth mentioning that the Word97 *.doc documents follow the OLE structured storage format; as such "FAT" interpretation is not required. There at tools available that will do that for you, leaving you to the analysis and interpretation of the streams themselves.

 
Posted : 21/10/2019 4:09 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

I had a case recently where there was a question about which of two .doc files was the original. The contents were almost identical with just a couple of key changes. I compared the metadata for the two files and showed that one of them had a higher revision number and a few extra minutes of edit time. I compared the created and modified times stored in the document and the one that had the earlier time stamps was also the one with less edit time. I also reported the user names that were stored in the "Last saved by" attribute (I assume the attorneys knew who the users were or were able to find out).

 
Posted : 21/10/2019 6:15 pm
(@pcook8198)
Posts: 20
Eminent Member
 

OLE style document consist of in basic terms Large Fat clusters and mini FAT clusters
Examination of these can also provide previous edits / Drive letter association / IP address / User accounts /

Previous edit time stamps and a whole raft more.

It was Tony Sammes and Brian Jenkinson who ran courses about this, its about 8yrs ago I attended a course and the specifics allude me as its being a long time since that course.Not using the skills on a regular basis has made me very rusty.

 
Posted : 22/10/2019 2:00 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

OLE style document consist of in basic terms Large Fat clusters and mini FAT clusters
Examination of these can also provide previous edits / Drive letter association / IP address / User accounts /

Previous edit time stamps and a whole raft more.

I see, thanks ) , it is about the MS-CFB (OLE/OLE2) format, or "Structured Storage", I sometimes used this viewer

http//www.mitec.cz/ssv.html

jaclaz

 
Posted : 22/10/2019 3:48 pm
Share: