Last week, we indicated that there are a number of risks involved with accepting a printed document at face value. What follows are some visual examples of those pitfalls.
The below document represent the properties of a specific word document: This particular set of properties are derived from a Windows 10 Operating system, with word 2016 installed. At face value, it appears that the document was created on 04/05/2010 at 11:38 AM. However, from this document alone, we cannot establish whether the document was created on the said time and date as there are a number of variables to consider.
Property |
Value |
Code page |
1252 |
Title |
Jan Alleman |
Subject |
Consulting Agreement |
Author |
JA |
Keywords |
JanA |
Template |
Normal |
Last saved by |
Alleman |
Revision number |
8 |
Creating application |
Microsoft Office Word |
Total editing time |
1 hours 24 minutes 0 seconds |
Last printed |
1999/03/23 05:04:00 PM +0200 |
Create time |
2010/05/04 11:38:00 AM +0200 |
Last saved time |
2010/05/04 01:01:00 PM +0200 |
Number of pages |
8 |
Number of words |
1489 |
Number of characters |
8488 |
Security |
0 |
Microsoft Word Version |
Word Document 8 |
Company |
ABC |
Depending on your operating system and word version, different programs will indicate either last saved as/ last modification date.
From the above, you could see that there is a lot of Metadata in a document. To reach a conclusion from the word document alone, will be unwise. The reason for this is, that a person can manipulate the date and time by setting the date and time back, or with the use of a third party application.
It is always recommended that an expert investigate the computer where the document was reportedly created. If the computer is not available, one needs to look at other avenues such as:
- Email messages where this document was sent as an attachment and/or
- Backups that were created of the data (Backup Tapes)
- Operating System (each new operating system brings amendments and upgrades)
- Word version (the terminology in different word versions can differ)
- Document Version (the document version can indicate whether a document is a new creation and assist in a comparative study)
- Date and Time (these can be manipulated and could have been manipulated by previous users or editors of a document- take care to enquire from an expert before this is accepted)
- Last Printed (indicates when last the document was printed and can be very useful when a timeline is at issue and for example where a later printed and signed document is presented in evidence)
- Created date (as mentioned above- this is not always the first created date, but can be in relation to the device used and may also assist in ensuring a proper time-line analysis)
- Do not be confused when the metadata is presented as a screen print and accept it as such. All the above questions must be asked first (and do not confuse properties of a document, with the properties of the device from which the document is derived)
Below is an example of a screenprint of the same document from the same device but one containing the device property terminology and dates and the other the document terminology and dates. Note the different dates, which could all impact on the veracity of the document and some uncomfortable cross examination if your witness is not prepared to explain the different property sources.
Contact your digital forensic expert to assist in analysing documents handed too you as evidence.
Contributed by:
Brandon Buckton and Ilse Grobler
CyanreCyanre, the Computer Forensic Lab (Pty)Ltd
Phone: 0126640066