R
RBruno
Is it possible to modify the date created and date modified metadata in the properties of a file in a way that the change cannot be discovered?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Shauna Kelly
Hi RBruno
Word's reporting of date created and date modified can get a bit
confusing. First, Word frequently reports that documents were last
edited or last printed before they were created. This can be seen at
File > Information. The dates shown on the General tab are not
necessarily the same dates as shown on the Statistics tab (or, in
Windows Explorer on the General and Summary tabs of the Properties
dialog). Here are two examples.
Example 1: I already have a document on my machine called test.doc. It
was created last Sunday. This morning, I open Word, and create a new
document. I save it as test.doc (ie I over-write last week's file). Word
reports on the General tab that the document was created last Sunday,
and on the Statistics tab that it was created this morning. Several
hours later, I do File > Save As to save that same new document with a
new name. Word reports on the General tab that it was created this
afternoon, and on the Statistics tab that it was created this morning.
Example 2: I have a template created several months ago. I create a new
document from that template and save it. Word reports that the document
was created today, but was printed last June.
Given that this is how Word is supposed to work (<g>), then determining
whether metadata had been changed, undiscovered, would require (a) a
tight specification of what "change" means and (b) you would need to be
sure that you were looking at the "right" date set.
Hope this helps.
Shauna Kelly. Microsoft MVP.
http://www.shaunakelly.com/word
Melbourne, Australia
discovered?
Word's reporting of date created and date modified can get a bit
confusing. First, Word frequently reports that documents were last
edited or last printed before they were created. This can be seen at
File > Information. The dates shown on the General tab are not
necessarily the same dates as shown on the Statistics tab (or, in
Windows Explorer on the General and Summary tabs of the Properties
dialog). Here are two examples.
Example 1: I already have a document on my machine called test.doc. It
was created last Sunday. This morning, I open Word, and create a new
document. I save it as test.doc (ie I over-write last week's file). Word
reports on the General tab that the document was created last Sunday,
and on the Statistics tab that it was created this morning. Several
hours later, I do File > Save As to save that same new document with a
new name. Word reports on the General tab that it was created this
afternoon, and on the Statistics tab that it was created this morning.
Example 2: I have a template created several months ago. I create a new
document from that template and save it. Word reports that the document
was created today, but was printed last June.
Given that this is how Word is supposed to work (<g>), then determining
whether metadata had been changed, undiscovered, would require (a) a
tight specification of what "change" means and (b) you would need to be
sure that you were looking at the "right" date set.
Hope this helps.
Shauna Kelly. Microsoft MVP.
http://www.shaunakelly.com/word
Melbourne, Australia
in the properties of a file in a way that the change cannot beRBruno said:Is it possible to modify the date created and date modified metadata
discovered?
R
RBruno
My problem is that I believe that my adversary has modified the metadata of a WORD file to show that it was created prior to the time that I suspect it was created. Can the metadata date data be changed in a way that cannot be forensically detected? Thanks for your help.
J
Jay Freedman
RBruno said:My problem is that I believe that my adversary has modified the metadata of a WORD file to show that it was created prior to the time that I suspect it was created. Can the metadata date data be changed in a way that cannot be forensically detected? Thanks for your help.
With enough expertise and enough unmonitored access to the hardware,
*anything* on *any computer can be changed. Do you believe your
adversary has the expertise to locate the creation date in an OLE
structured storage file and alter the bits with a hex editor to show
some desired date? Because that's what would be required. There is no
way within Word to alter the metadata -- there is simply no way to
instruct the program to do it.
That said, I believe the only way you can prove in court that the date
was altered would be if you had an archived copy of the original, for
which you have a provable chain of possession to prove that *it* had
not been altered.
R
RB
Can a WORD document be created with a phony meta data date on it by changing the computer's calendar date, then creating and saving the document?
K
Klaus Linke
RB said:Can a WORD document be created with a phony meta
data date on it by changing the computer's calendar date,
then creating and saving the document?
Sure. Though you'd have to be pretty clever and thorough about it, since
dates can hide in many places (file properties, document properties, fields,
revisions, comments...). If you simply take an exisiting document and save
it on a computer set back a year, this would probably be detectable.
Not only the dates might be revealing, also the history of places
(computers/folders) where the document has been edited or reviewed, or the
printers on which it has been printed.
In case the printer wasn't available yet last year, your competitor would be
in for some questions...
Regards,
Klaus
J
Jay Freedman
RB said:What is an OLE structured storage file? What do the letters stand
for, and what is its function?
OLE = Object Linking and Embedding
This is a Microsoft technology for placing "objects" (files, graphics,
ActiveX controls, and many other kinds of things) into a "container object"
in such a way that they retain their special characteristics. For example,
if you link or embed a section of an Excel worksheet inside a Word document,
you can "activate" it -- usually by double-clicking it -- and work in it as
if it were still in the Excel application. An additional complication is
that a container object can contain other container objects nested within
it, theoretically to unlimited depth.
OLE structured storage is a definition of a file format that can store a
container object and all the objects it contains, along with the information
needed to make OLE work when you reopen then file. It's a very complex
structure, having more in common with program code than with simple text or
graphics files.
An interesting point is that this complexity is what makes it possible to
have a "corrupt" Word file or template. If one or more of the addresses
stored in the file are wrong -- whether that's because of a programming
error or faulty file transmission -- then the program's interpretation of
the OLE structure will be wrong. Sometimes it's so wrong that it prevents
Word from opening the document, or even causes the program to crash.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.