Hi Guys
Not being that techno savvy, I have a small problem that I am hoping that someone may have a simple solution for.
Situation A 'civil' matter involving harassment, where the accused are producing emails and word documents as evidence of their innocence. The accuser categorically states that these documents and emails are fabricated.
Problem Apart from file properties, is there any way of verifying when these documents and emails were created/sent AND modified (as in a list of mod dates/times). I know that on the surface it is very easy to fake a date, but how do I prove or disprove this?
Thank you in advance.
Kbear
If you can get the court to order disclosure of the computer from which the documents were produced then a digital forensics professional may be able to find evidence that would support or refute the hypothesis that the documents were altered or fabricated. You would need an independent expert, though.
Hi
I have access to the original files and received emails, but not the PC the created them.
Does this help any?
Kbear
For E-mail, you can look in the E-mail headers.
This kind of stuff,
Received from harlem.dreamhost.com (harlem.dreamhost.com [66.33.216.25])
by qs2668.pair.com (Postfix) with ESMTP id EC33656422
for <xxxxxxxxx>; Tue, 23 Oct 2012 180732 -0400 (EDT)
Received from pinkiepie.dreamhost.com (ps20060.dreamhost.com [208.113.189.4])
by harlem.dreamhost.com (Postfix) with ESMTP id D6E344C2E
for <xxxxxxxxx>; Tue, 23 Oct 2012 150725 -0700 (PDT)
Received from spawn.dreamhost.com (spawn.dreamhost.com [67.205.55.223])
by pinkiepie.dreamhost.com (Postfix) with ESMTP id 1834D820E3CB5
for <xxxxxxxxx>; Tue, 23 Oct 2012 150822 -0700 (PDT)
Unless the person has a solid IT background it is unlikely they would have been able to forge all the details and get it all to still make sense.
Hi
I have access to the original files and received emails, but not the PC the created them.
Does this help any?
More that the actual files, you would ideally need a hard disk clone/image of the original system to have more data.
As well, if you have the "whole" Outlook database (as opposed to the single e-mails as .eml files (or whatever) you could be able to create at least a "timeline".
Word documents contain also some internal "metadata" that may help in understanding if a forgery has taken place (like document saved to a "strange" drive letter/path).
This is besides or "beyond" the basic checks on the actual message headers as highlighted by Passmark.
On the other hand, an e-mail has both a sender and a receiver.
If you have the e-mails (I seem to understand) as they are said to have been received, you can still inspect the sender's computer to ascertain if they were actually sent from there (and/or composed on it), unless the sender's PC has been wiped or has been lost, it is unlikely that someone (without the mentioned "high level" IT knowledge) would be able to remove any and all traces (or viceversa, if you have not access to the sender's you may have access to the receiver's).
Finally the number of such documents is relevant, if there is no forgery, you have more possibilities of finding traces of the original document, and if there was actual forgery you have more proabilities to find "wrong" modifications in one of the documents.
Are we talking of three, thirty or three hundred documents?
jaclaz
Thank you to all that offered assistance, problem is now solved )
Analyzing the emails and docs I found facts that were not known at the time they were written, proving absolutely that they were forged (date wise).
Thanks again, I have put all responses into my knowledge base for future reference.
Cheers
Kbear