Windows File date a...
 
Notifications
Clear all

Windows File date and Word Documents

8 Posts
4 Users
0 Likes
527 Views
(@onedah)
Posts: 4
New Member
Topic starter
 

Hi,

Can anyone help. I am trying to find out when a file was saved. The scenario is

- A user creates a word document in January 2005 and saves Doc.
- User Opens file in October 2005, but before doing so he sets the system Time back to June 2005.
- User then makes updates to word Doc and save, hense having the June 2005 date as the saved date and not October 2005.

The Question-
Is it possible to identify that the user set the system time back to June 2005 and in reality the file was saved in October 2005. Is there any analayis tool to identify the real saves date, or is there some sort of tool that can do some deep analysis into the file?
Thanks

 
Posted : 12/11/2005 4:06 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

onedah,

Unfortunately, with just the information you left, you may be out of luck.

Let's assume you're referring to a Windows system, as Word also runs on the Mac. Given that, you would need to look for corraborating information to support your assertion that the system time was changed. For example, if the version of Windows was one that supported Event Logs, *and* the correct auditing were enabled, you'd see a specific event record indicating that the system time had been changed.

I wish I could be more help, but without knowing more about the system you're working with, it would all just be speculation. Sorry.

Harlan

 
Posted : 12/11/2005 5:23 pm
(@onedah)
Posts: 4
New Member
Topic starter
 

Harlan,

The version of Windows in XP Prof with SP2, Word 2002 (10.6612.6735) SP3. It is a coporate Laptop and does support event logs, but i'm not sure what other auditing are enabled, any pointers on this?

As per the file (which I have a copy of) is there any way from seeing chages on that?

Thanks
Onedah

 
Posted : 12/11/2005 5:44 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The version of Windows in XP Prof with SP2, Word 2002 (10.6612.6735) SP3. It is a coporate Laptop and does support event logs, but i'm not sure what other auditing are enabled, any pointers on this?

Okay, great. So, what do you have at this point? Do you have the actual system itself, or do you have an image of the hard drive? If you have an image, what format (dd, EnCase, etc)?

As per the file (which I have a copy of) is there any way from seeing chages on that?

As it's a Word document, have you tried checking the metadata? I'd suggest my Perl scripts for doing so, but no one within this forum has shown any interest, and most folks seem to prefer commercial tools…I'd suggest you look at something like MetaData Assistant.

Harlan

 
Posted : 12/11/2005 6:16 pm
psu89
(@psu89)
Posts: 118
Estimable Member
 

I'd suggest my Perl scripts for doing so, but no one within this forum has shown any interest, and most folks seem to prefer commercial tools…I'd suggest you look at something like MetaData Assistant.

Harlan

Harlan

I am interested in the perl scripts. I have read your book and am still working my way thru using the scripts. I have to admit I am not very good with command line interfaces, but am interested in learning more.

 
Posted : 12/11/2005 8:11 pm
(@onedah)
Posts: 4
New Member
Topic starter
 

I have the laptop and Hard Drive available as well as the actual file.

I would be intersted in trying out your script, how can I get hold of a copy?

Onedah

 
Posted : 12/11/2005 11:37 pm
(@fatrabbit)
Posts: 132
Estimable Member
 

Harlan, I for one would be very interested in obtaining your perl scripts, could you post them or send me copies?

 
Posted : 15/11/2005 12:11 am
(@onedah)
Posts: 4
New Member
Topic starter
 

Harlan, Do you have any more information as per your above comments?

Thanks
Onedah

 
Posted : 15/11/2005 1:06 am
Share: