Office Metadata: Why Does Office Show Wrong Dates?

On several occasions, when I view properties (Advanced properties) to view some of the metadata associated with a .doc file, I find some strange dates (sometimes the Created date is after the document was created), etc. When running the same files through wmd.pl or OLEDeconstruct, both tools give me consistent dates. Does anyone know why this discrepancy exists and why Office displays it wrong? Thanks.

wmd.pl and OLEDeconstruct extract data from the OLE structured storage format.

When you view the Properties of a file…ie, right-click, choose Properties…what you're seeing is the file system metadata. These are subject to various actions, and can even be arbitrarily altered.

Actually, what I was referring to is if you open the file in Office 2007, go to the Globe -> Prepare -> Properties -> Document Properties -> Advanced Properties.

Also, I added a post on running wmd under Linux ) - http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5318

Actually, what I was referring to is if you open the file in Office 2007, go to the Globe -> Prepare -> Properties -> Document Properties -> Advanced Properties.

I've got several documents produced in Word 2007, and I don't see a "Globe". Which tab is that under?

I believe mbrown is referring to the Office Button in the top left hand corner.

So mbrown are you saying that the dates appearing in the doc properties are different to those from the OLEDeconstruct? Can't say I've seen this before, as I understand they are populated from the same place

I believe mbrown is referring to the Office Button in the top left hand corner.

Okay, I followed that, and ended up with a Properties dialog, with multiple tabs. The first tab, General, shows me the file MAC times, from the file system.

It would appear that this all goes back to really understanding what you're looking at, and where that data originates.

When you look at word document properties either via Word or by right clicking in explorer you get a dialog which gives you several sets of dates. I haven't checked this to confirm for sure but I believe the general tab gives the file system metadata and another tab (statistics or details) gives metadata from within the document. These can be different simply because they are from different sources and recorded differently. They may also be displayed differently for example the time zone offset may or may not be applied when the document is moved across computers in different time zones. The only way to work this out for sure is by testing and re-testing.

Also Word 2007 is mentioned in the same breath as OLEDeconstruct but 2007 word documents are not stored in the the same MS Compound File Structure as previous versions so a distinction would no doubt have to be drawn in how the dates are recorded.

H

Thanks for the clarifications. Finally, thanks for the clarifications regard OLEDeconstruct and Word 2007. I know that Word 2007 uses a different format and not OLE. I was just using Word 2007 to view the metadata of a Word 2003 file. Thanks.

[One other thing to think about the created date on the "satistics" tab does not reflect the file creation date, but instead the original creation date of the document. MS stores a lot of metadata, including creation date, last print date, and last revised date.

The thing is, that when someone takes an old document and overwrites it with new info, the old created-date is stll there.
Even weirder things can happen if a doc is copied over several different computers with different timezones, or the contents written over after a while.

I've looked at word documents that were
- printed before they were created
- last-saved before they were created
- even created before they were created!

Still, I am at times deeply grateful for metadata in office docs 😉
(and a lot of other filetypes too, nowadays)

Roland

- even created before they were created!

The good MS guys can see beyond the event horizon!
http//en.wikipedia.org/wiki/Event_horizon 😯

mrgreen

jaclaz