Recovery of files from slack space / backtrack timelines
Iâ€™m working on a forensic case regarding to an abuse of an employment contract.
I have to prove, that a specific supplement to an employment contract was created / modified on a specific PC. I cloned the HDD and reviewed the image with a hex editor.
Iâ€™ve found fragments of the relevant contract text in the â€œfree space / slack spaceâ€ of the harddisc (with cluster number and offset address) and in the pagefile.sys (Windows XP/SP2). Iâ€™m not sure if the delinquent has saved the document on the harddisc or just has written and printed it on this PC without saving.
Now my question Is it possible to trace back my findings to dates? Iâ€™ve to proof that the special document was written / modified / printed before a special date. Am I able to restore these fragments to a Word document (I suspect he has used Word) to review the metadata?
I think MAC-times are not helpful in this special scenario (slack space, pagefile.sys) because the delinquent was fired one month ago and a colleague has worked on his PC the last mothâ€¦
Any ideas how to accomplish this?
Thanks for your help