Join Us!

Windows File date a...
 
Notifications
Clear all

Windows File date and Word Documents  

  RSS
onedah
(@onedah)
New Member

Hi,

Can anyone help. I am trying to find out when a file was saved. The scenario is

- A user creates a word document in January 2005 and saves Doc.
- User Opens file in October 2005, but before doing so he sets the system Time back to June 2005.
- User then makes updates to word Doc and save, hense having the June 2005 date as the saved date and not October 2005.

The Question-
Is it possible to identify that the user set the system time back to June 2005 and in reality the file was saved in October 2005. Is there any analayis tool to identify the real saves date, or is there some sort of tool that can do some deep analysis into the file?
Thanks

Quote
Posted : 12/11/2005 4:06 pm
keydet89
(@keydet89)
Community Legend

onedah,

Unfortunately, with just the information you left, you may be out of luck.

Let's assume you're referring to a Windows system, as Word also runs on the Mac. Given that, you would need to look for corraborating information to support your assertion that the system time was changed. For example, if the version of Windows was one that supported Event Logs, *and* the correct auditing were enabled, you'd see a specific event record indicating that the system time had been changed.

I wish I could be more help, but without knowing more about the system you're working with, it would all just be speculation. Sorry.

Harlan

ReplyQuote
Posted : 12/11/2005 5:23 pm
onedah
(@onedah)
New Member

Harlan,

The version of Windows in XP Prof with SP2, Word 2002 (10.6612.6735) SP3. It is a coporate Laptop and does support event logs, but i'm not sure what other auditing are enabled, any pointers on this?

As per the file (which I have a copy of) is there any way from seeing chages on that?

Thanks
Onedah

ReplyQuote
Posted : 12/11/2005 5:44 pm
keydet89
(@keydet89)
Community Legend

The version of Windows in XP Prof with SP2, Word 2002 (10.6612.6735) SP3. It is a coporate Laptop and does support event logs, but i'm not sure what other auditing are enabled, any pointers on this?

Okay, great. So, what do you have at this point? Do you have the actual system itself, or do you have an image of the hard drive? If you have an image, what format (dd, EnCase, etc)?

As per the file (which I have a copy of) is there any way from seeing chages on that?

As it's a Word document, have you tried checking the metadata? I'd suggest my Perl scripts for doing so, but no one within this forum has shown any interest, and most folks seem to prefer commercial tools…I'd suggest you look at something like MetaData Assistant.

Harlan

ReplyQuote
Posted : 12/11/2005 6:16 pm
psu89
(@psu89)
Active Member

I'd suggest my Perl scripts for doing so, but no one within this forum has shown any interest, and most folks seem to prefer commercial tools…I'd suggest you look at something like MetaData Assistant.

Harlan

Harlan

I am interested in the perl scripts. I have read your book and am still working my way thru using the scripts. I have to admit I am not very good with command line interfaces, but am interested in learning more.

ReplyQuote
Posted : 12/11/2005 8:11 pm
onedah
(@onedah)
New Member

I have the laptop and Hard Drive available as well as the actual file.

I would be intersted in trying out your script, how can I get hold of a copy?

Onedah

ReplyQuote
Posted : 12/11/2005 11:37 pm
fatrabbit
(@fatrabbit)
Active Member

Harlan, I for one would be very interested in obtaining your perl scripts, could you post them or send me copies?

ReplyQuote
Posted : 15/11/2005 12:11 am
onedah
(@onedah)
New Member

Harlan, Do you have any more information as per your above comments?

Thanks
Onedah

ReplyQuote
Posted : 15/11/2005 1:06 am
Share: