Hi,
I am using Harlan's wmd.pl to analyze information on a .dot file (Word 9.0). I have found the Last 10 Authors etc, however, the information found about the Created, Last Saved and Last Printed dates are confusing me.
Here they from wmd.pl below
Created 04.08.2006, 232300
Last Saved 04.08.2006, 233500
Last Printed 04.08.2006, 233400
The file was created on a Windows 2000 machine also.
Ok, so this where I get confused. Loaded up into FTK the objectPool and the SummaryInformation give me the time an hour ahead. So -
Created 05.08.2006, 002300
Last Saved 05.08.2006, 003500
Last Printed 05.08.2006, 003400
I know that windows displays the timestamps at that time-zone, i.e. adding/taking away from the original timestamp and displaying it, but not actually changing the files timestamps properties. So if I look a file up in BST and then GMT the timestamps change when viewing them due to DST (as well as timezones).
So is the correct time on the 5th or the 4th?
The last time I tried looking at it I got the point where 0034/5 where the correct times. But if any one has any light to shed on this please do.
Best Regards,
Craig
P.S. A thank you to Harlan for spending the time on the book and dvd. It was a great read and the dvd tools and examples made the book 10x better!
Hi,
I've done a search on Harlan's wmp.pl but can't find it. I'd like to have a look at the code for it, where can I get a copy?
Lyle
Hi,
I've done a search on Harlan's wmp.pl but can't find it. I'd like to have a look at the code for it, where can I get a copy?Lyle
Get his book - Windows Forensic Analysis DVD Toolkit, Second Edition it has the scripts with the enclosed CD as well as guidance in using that and may of the other tools he wrote and included.
Also try OLE Deconstruct from Sanderson Forensics.
http//
I usually run both on files as well as some other tools.
Craig
If the time and date is critical the only way to be sure about this is to do some testing of your own in the orginal environment.
I remember Tony Sammes did a presentation at F3 on times and dates in word documents that had moved across time zones and there were some interesting anomalies.
H
Yea, I have done some of my own testing across platforms and I cannot find a definitive answer. But most of it shows what I was hoping in the first place. Thanks for the reference H, I will look it up now.
Cheers,
Craig
I'd suggest checking the display settings for FTK. This caught me up with ProDiscover and I've seen folks have a lot of trouble with it in EnCase.
wmd.pl presents the times as they are in the file with no translation.
HTH
So FTK shows the time by setting DST onto the file MAC times when viewing it. Wmd.pl extracts the metadata, as said, with 'no translation'.
From what I have tested it seems that when file times within Word 9.0 documents are set, they are saved with no DST applied (GMT), even if the file is created in BST (GMT+1).
DST is kind of annoying. )
Thanks for the help guys,
Craig
So FTK shows the time by setting DST onto the file MAC times when viewing it.
Is that what you found when you checked it?
Wmp.pl extracts the metadata, as said, with 'no translation'.
I don't know. My script is "wmd.pl", and it pulls the date information and displays it without translation based on time zone or DST. I have no idea what "wmp.pl" does.
Thanks.
So FTK shows the time by setting DST onto the file MAC times when viewing it.
Is that what you found when you checked it?
Wmp.pl extracts the metadata, as said, with 'no translation'.
I don't know. My script is "wmd.pl", and it pulls the date information and displays it without translation based on time zone or DST. I have no idea what "wmp.pl" does.
Thanks.
My mistake, I meant to type wmd.pl. I have corrected it in the above post.
For FTK displaying timestamps http//
I used this to confirm what I found in my testing.
Cheers,
Craig
I too am confused by the timestamps in wmd.pl. Testing did not clear the issue up. Any help would be appreciated.
I am doing the CCE practice exam found at http//
The file DOC3 (as it is listed in the webpage above was last saved at 228pm. Wmd.pl is saying it was last saved at 182843, and FTK is saying it was last saved at 122843, I put central timezone during the case setup. No timezone was given for the exam. Opening the document in Excel also says 122843pm.
So, Wmd.pl is saying the file was saved 4 hours later, and FTK gives 2 hours earlier.
I can't rectify this, maybe I do not know enough of how Word stores the timestamps or something. But any additional information or URL's to more information (My search for whitepapers on the subject gave little fruitful information) would be appreciated.