I have a FAT16 formatted USB thumbdrive in which we recovered a deleted RTF file and a deleted docx file. I have the created and modified data and times and the access date, for when the file was MAC on the thumbdrive itself. Do RTF files contain an OLE structured metadata? from my testing I do not see it, but when viewing the docx file there is no OLE metadata information available, possibly because it was deleted?
RTF files can contain metadata, especially if the file was created using MS Word. I did some testing and found that MS Word will embed all of the metadata it typically embeds into the RTF file.
RTF files are nothing more than text with various tags that allow for interpretting of the text (font size, style, etc.). So there is no OLE data as far as I know.
Do RTF files contain an OLE structured metadata? from my testing I do not see it, but when viewing the docx file there is no OLE metadata information available, possibly because it was deleted?
Not sure what you mean - OLE structured metadata sounds like a contradiction in terms to my ears.
You can certainly have an OLE object embedded in a RTF file, so if the metadata you refer to comes along with that kind of object, it may be there (probably depends on the object type if it actually is there or not).
However, \objdata looks rather like a hex dump, so you have to interpret that before you reach it. But perhaps I misunderstood the question?
Thank you for the insight, do you think that if the RTF was saved directly to a thumbdrive this would have any factor. When I tested creating an RTF in MSword and then saved directly to a thumbdrive, the only metadata information available to me was the MAC times on the thumbdrive, I received no author or version info, company name, nothing. Thanks again.
Thank you for the insight, do you think that if the RTF was saved directly to a thumbdrive this would have any factor. When I tested creating an RTF in MSword and then saved directly to a thumbdrive, the only metadata information available to me was the MAC times on the thumbdrive, I received no author or version info, company name, nothing. Thanks again.
What are you using to view the metadata?
When examining the RTF files don't expect your regular forensic tools to find and interpret the internal metadata. You have to look through the file yourself.
In reviewing my notes on my previous test and doing some testing now, it is possible that creating an RTF from scratch with MS Word does not leave behind any internal metadata. However, creating an RTF from a Word document does transfer the internal metadata from the Word doc and saves it in the RTF.
I guess I have fallen into the category of creating an RTF from scratch with MS word, I utilized Pinpoint labs metaviewer as well as FTK & EnCase. I am going to continue doing more testing on my end as well, thanks.
I utilized Pinpoint labs metaviewer as well as FTK & EnCase.
Use Notepad or a simple text or hex editor and scan through it. If it is there, it is in plain site, it is not encrypted or encoded. Remember, RTF files under the hood are just text.
Well I have done that, I am going to take another look just to be sure, but thanks again for the input. I will let you know the final result.