Hi,
Can anyone help. I am trying to find out when a file was saved. The scenario is
- A user creates a word document in January 2005 and saves Doc.
- User Opens file in October 2005, but before doing so he sets the system Time back to June 2005.
- User then makes updates to word Doc and save, hense having the June 2005 date as the saved date and not October 2005.
The Question-
Is it possible to identify that the user set the system time back to June 2005 and in reality the file was saved in October 2005. Is there any analayis tool to identify the real saves date, or is there some sort of tool that can do some deep analysis into the file?
Thanks
onedah,
Unfortunately, with just the information you left, you may be out of luck.
Let's assume you're referring to a Windows system, as Word also runs on the Mac. Given that, you would need to look for corraborating information to support your assertion that the system time was changed. For example, if the version of Windows was one that supported Event Logs, *and* the correct auditing were enabled, you'd see a specific event record indicating that the system time had been changed.
I wish I could be more help, but without knowing more about the system you're working with, it would all just be speculation. Sorry.
Harlan
Harlan,
The version of Windows in XP Prof with SP2, Word 2002 (10.6612.6735) SP3. It is a coporate Laptop and does support event logs, but i'm not sure what other auditing are enabled, any pointers on this?
As per the file (which I have a copy of) is there any way from seeing chages on that?
Thanks
Onedah
The version of Windows in XP Prof with SP2, Word 2002 (10.6612.6735) SP3. It is a coporate Laptop and does support event logs, but i'm not sure what other auditing are enabled, any pointers on this?
Okay, great. So, what do you have at this point? Do you have the actual system itself, or do you have an image of the hard drive? If you have an image, what format (dd, EnCase, etc)?
As per the file (which I have a copy of) is there any way from seeing chages on that?
As it's a Word document, have you tried checking the metadata? I'd suggest my Perl scripts for doing so, but no one within this forum has shown any interest, and most folks seem to prefer commercial tools…I'd suggest you look at something like MetaData Assistant.
Harlan
I'd suggest my Perl scripts for doing so, but no one within this forum has shown any interest, and most folks seem to prefer commercial tools…I'd suggest you look at something like MetaData Assistant.
Harlan
Harlan
I am interested in the perl scripts. I have read your book and am still working my way thru using the scripts. I have to admit I am not very good with command line interfaces, but am interested in learning more.
I have the laptop and Hard Drive available as well as the actual file.
I would be intersted in trying out your script, how can I get hold of a copy?
Onedah
Harlan, I for one would be very interested in obtaining your perl scripts, could you post them or send me copies?
Harlan, Do you have any more information as per your above comments?
Thanks
Onedah