Microsoft Word forensic analysis is something we do quite often for document authentication. Because of the great popularity of Microsoft Office, many important business documents such as memorandums and contracts are created using Word. When things go south, some of these documents become key evidence and subject to forensic authentication…
What happens to email attachment timestamps when a file is attached to an email message? As far as internal file metadata goes, nothing should change. Attaching the file does not change its contents, and internal metadata, such as the document’s author, title, creation and modification dates where applicable, should be preserved during transit.
How about file system metadata? Does plucking the file from the file system and attaching it to an email result in total loss of file system metadata? Not so, at least in an Exchange / Outlook environment. In fact, file system timestamps can survive the transit to the recipient’s mailbox, sometimes with 100-nanosecond precision!
PDF forensic analysis is a type of request we encounter often in our computer forensics practice. The requests usually entail PDF forgery analysis or intellectual property related investigations. In virtually all cases, I have found that the PDF metadata contained in metadata streams and the document information dictionary have been instrumental. I will provide a brief overview of these metadata sources and then provide an example about how they can be useful during PDF forensic analysis…
About a decade ago, virtually all electronically stored information (ESI) productions we performed were in static format (i.e., PDF/TIFF/JPG with accompanying load files). Legal review platforms were designed to work with static productions, and law firms preferred them due to their plug-and-play nature—a proper static production can be loaded into a review platform without much effort. During the past two years, we have seen an increasing interest in productions in native file format. Considering the amount of information that can be extracted from raw data, it is not hard to understand why lawyers demand access to electronic documents in their native format.
When working on computer forensics or e-Discovery projects, especially the ones that involve electronically stored information (ESI) productions based on pick lists, we frequently encounter pick lists which consist of Bates ranges. Bates ranges may comprise document-level control numbers—as seen in native or near-native document productions, or page-level Bates numbers. We conceived Range Converter—a free Bates range to list converter—with the hope that it will make it easier for legal professionals to work with Bates ranges.
Microsoft Office documents typically contain a great amount of metadata, some of which can be instrumental in computer forensics. While e-Discovery and computer forensics software can handle extracting and displaying most of the metadata, I found that a crucial piece of information is usually not extracted: Microsoft Word last 10 authors — also known as Word save history.
Certain versions of Microsoft Word such as Word 8.0 (Word 97) through Word 10.0 (Word 2002) store the names of the last 10 people who edited the document as well as the file locations. This information is not displayed to the end user through the Microsoft Word user interface, and according to the Microsoft Support website, this is an automatic feature that cannot be disabled.
Emails are usually at the top of the list when it comes to potentially relevant electronically stored information (ESI) sources. They often capture critical business correspondence, agreements, business documents, internal company discussions etc. On the other hand, they are one of the most frequently forged document types. They can be altered in many ways such as by backdating, changing the sender, recipients or message contents. Fortunately, email servers and client computers often contain various metadata which can be used for email forgery analysis.
One of these metadata fields is the Conversation Index property. I previously wrote about E-mail Conversation Index Analysis and how it can be useful in forensic analysis of e-mails, particularly email forgery analysis. In this post, we will put that weapon to use — along with other computer forensics techniques — and take a close look at a sample fraudulent email message.
Date forgery analysis is one of the most common digital forensics investigation tasks we encounter. For instance, the suspect backdates a document and tries to pass it as if it were an older document. In the process, however, he usually makes a mistake, overlooks metadata or surrounding evidence that could be used by a computer forensics expert to reveal what happened. In this post, we will look at such a scenario and one of the artifacts which can be utilized during date forgery analysis.
Native file productions are gaining more and more traction in e-Discovery, and rightfully so. However, what native format is, and its benefits and drawbacks are commonly misunderstood, occasionally rising to the level of e-Discovery disputes. Here are some of the misconceptions we encounter frequently about native file productions…
Forensically imaging a hard drive is typically defined as making a bit-by-bit copy of all the sectors on the drive. It is usually not mentioned that hard disk drives also contain service areas which store information used for internally managing the drives (e.g. defect management). Information in the service area of a drive is not presented to the user, is inaccessible using standard ATA commands and is not captured from the original drive during the traditional forensic imaging process. One of the key pieces of information typically found in the service area of a hard drive is S.M.A.R.T. data, which can be valuable during digital forensics investigations.