G
Guest
Is it possible to modify the date created and date modified metadata in the properties of a file in a way that the change cannot be discovered?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Shauna Kelly
Hi RBruno
Word's reporting of date created and date modified can get a bit
confusing. First, Word frequently reports that documents were last
edited or last printed before they were created. This can be seen at
File > Information. The dates shown on the General tab are not
necessarily the same dates as shown on the Statistics tab (or, in
Windows Explorer on the General and Summary tabs of the Properties
dialog). Here are two examples.
Example 1: I already have a document on my machine called test.doc. It
was created last Sunday. This morning, I open Word, and create a new
document. I save it as test.doc (ie I over-write last week's file). Word
reports on the General tab that the document was created last Sunday,
and on the Statistics tab that it was created this morning. Several
hours later, I do File > Save As to save that same new document with a
new name. Word reports on the General tab that it was created this
afternoon, and on the Statistics tab that it was created this morning.
Example 2: I have a template created several months ago. I create a new
document from that template and save it. Word reports that the document
was created today, but was printed last June.
Given that this is how Word is supposed to work (<g>), then determining
whether metadata had been changed, undiscovered, would require (a) a
tight specification of what "change" means and (b) you would need to be
sure that you were looking at the "right" date set.
Hope this helps.
Shauna Kelly. Microsoft MVP.
http://www.shaunakelly.com/word
Melbourne, Australia
discovered?
Word's reporting of date created and date modified can get a bit
confusing. First, Word frequently reports that documents were last
edited or last printed before they were created. This can be seen at
File > Information. The dates shown on the General tab are not
necessarily the same dates as shown on the Statistics tab (or, in
Windows Explorer on the General and Summary tabs of the Properties
dialog). Here are two examples.
Example 1: I already have a document on my machine called test.doc. It
was created last Sunday. This morning, I open Word, and create a new
document. I save it as test.doc (ie I over-write last week's file). Word
reports on the General tab that the document was created last Sunday,
and on the Statistics tab that it was created this morning. Several
hours later, I do File > Save As to save that same new document with a
new name. Word reports on the General tab that it was created this
afternoon, and on the Statistics tab that it was created this morning.
Example 2: I have a template created several months ago. I create a new
document from that template and save it. Word reports that the document
was created today, but was printed last June.
Given that this is how Word is supposed to work (<g>), then determining
whether metadata had been changed, undiscovered, would require (a) a
tight specification of what "change" means and (b) you would need to be
sure that you were looking at the "right" date set.
Hope this helps.
Shauna Kelly. Microsoft MVP.
http://www.shaunakelly.com/word
Melbourne, Australia
in the properties of a file in a way that the change cannot beRBruno said:Is it possible to modify the date created and date modified metadata
discovered?
G
Guest
My problem is that I believe that my adversary has modified the metadata of a WORD file to show that it was created prior to the time that I suspect it was created. Can the metadata date data be changed in a way that cannot be forensically detected? Thanks for your help.
J
Jay Freedman
RBruno said:My problem is that I believe that my adversary has modified the metadata of a WORD file to show that it was created prior to the time that I suspect it was created. Can the metadata date data be changed in a way that cannot be forensically detected? Thanks for your help.
With enough expertise and enough unmonitored access to the hardware,
*anything* on *any computer can be changed. Do you believe your
adversary has the expertise to locate the creation date in an OLE
structured storage file and alter the bits with a hex editor to show
some desired date? Because that's what would be required. There is no
way within Word to alter the metadata -- there is simply no way to
instruct the program to do it.
That said, I believe the only way you can prove in court that the date
was altered would be if you had an archived copy of the original, for
which you have a provable chain of possession to prove that *it* had
not been altered.
G
Guest
Can a WORD document be created with a phony meta data date on it by changing the computer's calendar date, then creating and saving the document?
K
Klaus Linke
RB said:Can a WORD document be created with a phony meta
data date on it by changing the computer's calendar date,
then creating and saving the document?
Sure. Though you'd have to be pretty clever and thorough about it, since
dates can hide in many places (file properties, document properties, fields,
revisions, comments...). If you simply take an exisiting document and save
it on a computer set back a year, this would probably be detectable.
Not only the dates might be revealing, also the history of places
(computers/folders) where the document has been edited or reviewed, or the
printers on which it has been printed.
In case the printer wasn't available yet last year, your competitor would be
in for some questions...
Regards,
Klaus
J
Jay Freedman
RB said:What is an OLE structured storage file? What do the letters stand
for, and what is its function?
OLE = Object Linking and Embedding
This is a Microsoft technology for placing "objects" (files, graphics,
ActiveX controls, and many other kinds of things) into a "container object"
in such a way that they retain their special characteristics. For example,
if you link or embed a section of an Excel worksheet inside a Word document,
you can "activate" it -- usually by double-clicking it -- and work in it as
if it were still in the Excel application. An additional complication is
that a container object can contain other container objects nested within
it, theoretically to unlimited depth.
OLE structured storage is a definition of a file format that can store a
container object and all the objects it contains, along with the information
needed to make OLE work when you reopen then file. It's a very complex
structure, having more in common with program code than with simple text or
graphics files.
An interesting point is that this complexity is what makes it possible to
have a "corrupt" Word file or template. If one or more of the addresses
stored in the file are wrong -- whether that's because of a programming
error or faulty file transmission -- then the program's interpretation of
the OLE structure will be wrong. Sometimes it's so wrong that it prevents
Word from opening the document, or even causes the program to crash.
S
Stephen-NC
If what is wanted is to change "Date Created" to make it appear that
document was created earlier than it really was, there is an easy wa
to do it. However, you must have access to a second document tha
*was* created earlier for this to work. This example will explain:
1. You have a document, NEWDOC.DOC, that you created today, March 19
but that you would like to show as having been created on or aroun
March 1.
2. You have another document, OLDDOC.DOC, that was created, say, o
March 2 -- close enough for your purposes.
3. Open OLDDOC.DOC and "save as" OLDDOC-BAK.DOC (assuming you don'
want to lose its contents). Close it.
4. Open NEWDOC.DOC and "save as" NEWDOC-BAK.DOC. Close it.
5. In My Computer/Windows Explorer, delete NEWDOC.DOC.
6. In My Computer/Windows Explorer, rename OLDDOC.DOC as NEWDOC.DOC.
7. Open NEWDOC.DOC (actually the old OLDDOC.DOC) and NEWDOC-BAK.DOC.
8. Delete all of the existing content of NEWDOC.DOC. Copy all of th
content of NEWDOC-BAK.DOC to your clipboard and paste it int
NEWDOC.DOC. Close NEWDOCK-BAK.DOC.
9. Check the document properties of NEWDOC.DOC. It should show "Dat
Created" as March 2 (or whatever the creation date of the origina
OLDDOC.DOC was). Be sure and change any editable property field
necessary to make them consistent with the new contents, e.g., "Title.
Save NEWDOC.DOC (you can then close it if you want).
10. In My Computer/Windows Explorer, delete NEWDOC-BAK.DOC. Renam
OLDDOC-BAK.DOC as OLDDOC.DOC.
That should do it. I hope I've explained the steps correctly. It wa
very easy when I tried it, but sounds confusing written out!
Couple of caveats: After you've done all of the above, the propertie
of OLDDOC.DOC will now show the creation date as today's date, so tha
has to not matter to you. Also, although the creation date fo
NEWDOC.DOC will show as March 2 (in this example), the las
accessed/modified dates will show as today's date (the date you di
this work). Remember, all of this is just about changing the apparen
creation date of a particular document
document was created earlier than it really was, there is an easy wa
to do it. However, you must have access to a second document tha
*was* created earlier for this to work. This example will explain:
1. You have a document, NEWDOC.DOC, that you created today, March 19
but that you would like to show as having been created on or aroun
March 1.
2. You have another document, OLDDOC.DOC, that was created, say, o
March 2 -- close enough for your purposes.
3. Open OLDDOC.DOC and "save as" OLDDOC-BAK.DOC (assuming you don'
want to lose its contents). Close it.
4. Open NEWDOC.DOC and "save as" NEWDOC-BAK.DOC. Close it.
5. In My Computer/Windows Explorer, delete NEWDOC.DOC.
6. In My Computer/Windows Explorer, rename OLDDOC.DOC as NEWDOC.DOC.
7. Open NEWDOC.DOC (actually the old OLDDOC.DOC) and NEWDOC-BAK.DOC.
8. Delete all of the existing content of NEWDOC.DOC. Copy all of th
content of NEWDOC-BAK.DOC to your clipboard and paste it int
NEWDOC.DOC. Close NEWDOCK-BAK.DOC.
9. Check the document properties of NEWDOC.DOC. It should show "Dat
Created" as March 2 (or whatever the creation date of the origina
OLDDOC.DOC was). Be sure and change any editable property field
necessary to make them consistent with the new contents, e.g., "Title.
Save NEWDOC.DOC (you can then close it if you want).
10. In My Computer/Windows Explorer, delete NEWDOC-BAK.DOC. Renam
OLDDOC-BAK.DOC as OLDDOC.DOC.
That should do it. I hope I've explained the steps correctly. It wa
very easy when I tried it, but sounds confusing written out!
Couple of caveats: After you've done all of the above, the propertie
of OLDDOC.DOC will now show the creation date as today's date, so tha
has to not matter to you. Also, although the creation date fo
NEWDOC.DOC will show as March 2 (in this example), the las
accessed/modified dates will show as today's date (the date you di
this work). Remember, all of this is just about changing the apparen
creation date of a particular document
S
Suzanne S. Barnhill
It would be easier to change the system date, create a new document, paste
all the content into it, and save under the desired filename.
--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA
Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.
all the content into it, and save under the desired filename.
--
Suzanne S. Barnhill
Microsoft MVP (Word)
Words into Type
Fairhope, Alabama USA
Email cannot be acknowledged; please post all follow-ups to the newsgroup so
all may benefit.