Metadata Analysis !!!

Greetings,

One method is through analysis of other information not contained in the file. If you determine that the last access or modification of the file was at time N and the event logs show that user Y was the only person logged in at the time you've started building a case for user Y being the last person to view or modify the document.

-David

Basically you are talking about doing a registry analysis which will leads to who was the current user on a certain time.

But if we had the file sent to us and the sender has no access to the registry ,how we will figure out who was the user in this case ?

Greetings,

I think the technical phrase is "you're SOL". Your standalone document doesn't contain all of the information you need to show who the last author of the document was.

-David

Greetings,

I think the technical phrase is "you're SOL". Your standalone document doesn't contain all of the information you need to show who the last author of the document was.

-David

Thanks a lot David for you help…
I see that this could be a challange for the forensic environement.
Vendors of softwares should implement more ways in order to get the maximum of metadata in a file such as a revision log.

hai,
basically, instead of asking who is the last reader, is it possible to say which user has created the document on which machine and when the document was first created and number of modification/readings at later dates on different machines. i have been trying for the solution. esquire innovations idiscover claims to reveal the meta data of doc and xls. this is a problem for the computer forensic professionals.

Hello RedCellSecurity,

If you need a quick tool you should look at DocScrubber. You can find this tool at http//www.docscrubber.com/

I've used it in a few cases myself. Important is the fact you can save the metadata to show / confront your boss. Below is an example of the output from DocScrubber from blair.doc
More information about the 2003 investigation of this document can be found at http//www.computerbytesman.com/privacy/blair.htm

DOC SCRUBBER v1.1
Analysis Performed at 214924 on 5-1-2008
File Analyzed F\Downloads\blair.doc

Title Iraq- ITS INFRASTRUCTURE OF CONCEALMENT, DECEPTION AND INTIMIDATION
Author default
Company default
Keywords
Subject
Comments
Template Used Normal.dot
Application Microsoft Word 8.0
Created 3-2-2003 103100
Last Saved 3-2-2003 121800
Last Edited By MKhan
Last Printed 30-1-2003 223300
Page Count 1
Word Count 3875
Character Count 22090
Revision Count 4
Unique Identifier (GUID) {5E2C2E6C-8A16-46F3-8843-7F739FA12901}
Recent Hyperlinks List Not Found.

Revision Log Found 10 hidden revision(s)
"cic22" edited file "C\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecovery save of Iraq - security.asd"
"cic22" edited file "C\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecovery save of Iraq - security.asd"
"cic22" edited file "C\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecovery save of Iraq - security.asd"
"JPratt" edited file "C\TEMP\Iraq - security.doc"
"JPratt" edited file "A\Iraq - security.doc"
"ablackshaw" edited file "C\ABlackshaw\Iraq - security.doc"
"ablackshaw" edited file "C\ABlackshaw\A;Iraq - security.doc"
"ablackshaw" edited file "A\Iraq - security.doc"
"MKhan" edited file "C\TEMP\Iraq - security.doc"
"MKhan" edited file "C\WINNT\Profiles\mkhan\Desktop\Iraq.doc"

How the revision log was stored in the word file ?

Keydet89 has developed a wonderfull CLI tool to retreive metadata from Word docs. It's named wmd.pl

page 232 of his book Windows Forensic Analysis, ISBN 978-1-59749-156-3

http//books.google.com/books?id=6LX9PRoX5zgC&printsec=frontcover&dq=windows+forensic+analysis&hl=nl&sig=sddINVaacgraJaKm1Yqc_KURmNE#PPA232,M1

Stamitz,

Thanks for the shout-out on wmd.pl! I also have a tool on the same DVD called oledmp.pl that dumps OLE info, which means that it works with all OLE doc formats from MSOFFICE…including Excel and PPT. The only difference from wmd.pl is that wmd.pl also parses some of the binary data in the Word doc file header, as well…but just the Word doc. I wasn't able to locate any info on the PPT/XLS binary file format.

Notice, however, that the last person to *use* the document isn't recorded…rather a list of authors, as well as a value called "last authress" are maintained…which means that last person to *edit* the document.

Try it out…get the tools and have someone send you a Word document, or simply download one from the Internet. Open the doc a couple of times and read it, running the tools before and after. Then modify the file in some way, and run the tools. The print the file, and run the tools. Quick and "easy bake oven" lab experiment you can run in about 15 minutes.