Forensic Analysis of Email Attachment Timestamps in Outlook

By | Articles

What happens to email attachment timestamps when a file is attached to an email message? As far as internal file metadata goes, nothing should change. Attaching the file does not change its contents, and internal metadata, such as the document’s author, title, creation and modification dates where applicable, should be preserved during transit.
How about file system metadata? Does plucking the file from the file system and attaching it to an email result in total loss of file system metadata? Not so, at least in an Exchange / Outlook environment. In fact, file system timestamps can survive the transit to the recipient’s mailbox, sometimes with 100-nanosecond precision!

Read More

PDF Forensic Analysis and XMP Metadata Streams

By | Articles

PDF forensic analysis is a type of request we encounter often in our computer forensics practice. The requests usually entail PDF forgery analysis or intellectual property related investigations. In virtually all cases, I have found that the PDF metadata contained in metadata streams and the document information dictionary have been instrumental. I will provide a brief overview of these metadata sources and then provide an example about how they can be useful during PDF forensic analysis…

Read More

Native File Format ESI Productions in e-Discovery & Computer Forensics

By | Articles

About a decade ago, virtually all electronically stored information (ESI) productions we performed were in static format (i.e., PDF/TIFF/JPG with accompanying load files). Legal review platforms were designed to work with static productions, and law firms preferred them due to their plug-and-play nature—a proper static production can be loaded into a review platform without much effort. During the past two years, we have seen an increasing interest in productions in native file format. Considering the amount of information that can be extracted from raw data, it is not hard to understand why lawyers demand access to electronic documents in their native format.

Read More

Bates Range to List & Bates List to Range Converter

By | Articles

When working on computer forensics or e-Discovery projects, especially the ones that involve electronically stored information (ESI) productions based on pick lists, we frequently encounter pick lists which consist of Bates ranges. Bates ranges may comprise document-level control numbers—as seen in native or near-native document productions, or page-level Bates numbers. We conceived Range Converter—a free Bates range to list converter—with the hope that it will make it easier for legal professionals to work with Bates ranges.

Read More

Word Last 10 Authors Metadata in Computer Forensics

By | Articles

Microsoft Office documents typically contain a great amount of metadata, some of which can be instrumental in computer forensics. While e-Discovery and computer forensics software can handle extracting and displaying most of the metadata, I found that a crucial piece of information is usually not extracted: Microsoft Word last 10 authors — also known as Word save history.

Certain versions of Microsoft Word such as Word 8.0 (Word 97) through Word 10.0 (Word 2002) store the names of the last 10 people who edited the document as well as the file locations. This information is not displayed to the end user through the Microsoft Word user interface, and according to the Microsoft Support website, this is an automatic feature that cannot be disabled.

Read More

Email Forgery Analysis in Computer Forensics

By | Articles

Emails are usually at the top of the list when it comes to potentially relevant electronically stored information (ESI) sources. They often capture critical business correspondence, agreements, business documents, internal company discussions etc. On the other hand, they are one of the most frequently forged document types. They can be altered in many ways such as by backdating, changing the sender, recipients or message contents. Fortunately, email servers and client computers often contain various metadata which can be used for email forgery analysis.

One of these metadata fields is the Conversation Index property. I previously wrote about E-mail Conversation Index Analysis and how it can be useful in forensic analysis of e-mails, particularly email forgery analysis. In this post, we will put that weapon to use — along with other computer forensics techniques — and take a close look at a sample fraudulent email message.

Read More

Date Forgery Analysis and Timestamp Resolution

By | Articles

Date forgery analysis is one of the most common digital forensics investigation tasks we encounter. For instance, the suspect backdates a document and tries to pass it as if it were an older document. In the process, however, he usually makes a mistake, overlooks metadata or surrounding evidence that could be used by a computer forensics expert to reveal what happened. In this post, we will look at such a scenario and one of the artifacts which can be utilized during date forgery analysis.

Read More

8 Common Misconceptions about Native File Productions

By | Articles

Native file productions are gaining more and more traction in e-Discovery, and rightfully so. However, what native format is, and its benefits and drawbacks are commonly misunderstood, occasionally rising to the level of e-Discovery disputes. Here are some of the misconceptions we encounter frequently about native file productions…

Read More

S.M.A.R.T. Data in Computer Forensics

By | Articles

Forensically imaging a hard drive is typically defined as making a bit-by-bit copy of all the sectors on the drive. It is usually not mentioned that hard disk drives also contain service areas which store information used for internally managing the drives (e.g. defect management). Information in the service area of a drive is not presented to the user, is inaccessible using standard ATA commands and is not captured from the original drive during the traditional forensic imaging process. One of the key pieces of information typically found in the service area of a hard drive is S.M.A.R.T. data, which can be valuable during digital forensics investigations.

Read More

Concordance CPL to Populate Production Attachment Ranges

By | Software

Have you ever had to calculate production attachment ranges (e.g. PRODBEGATT and PRODENDATT fields) manually? Perhaps the production software you used did not calculate these fields for you, or the production specifications changed and you had to add these fields after the fact. While the calculation is usually straightforward, things can get a bit more tricky if some of the attachment families were not produced entirely (i.e. you need to shrink the review attachment ranges to account for the documents that were not produced).

We have created a Concordance CPL called “Populate_Prod_Att” to help make things a bit easier. The CPL reads the existing review attachment ranges and production Bates numbers in your Concordance database, and calculates the production attachment ranges for you.

Read More