By gaining insight from an experienced forensic examiner, the reader will learn how to avoid some of the pitfalls of metadata analysis that can lead to misinterpretation of seemingly reliable metadata. Properties for each structure in the data lineage diagram, organized by resource name. General information about the data lineage diagram. After reviewing the types of information that may be obtained from Office metadata, the Chapter will use some specific examples and factual scenarios to demonstrate the intricacies, twists and turns encountered in the process of extracting and interpreting metadata. When you export a data lineage diagram to Microsoft Excel, the exported diagram includes all metadata objects and connections.
Not only can metadata be altered intentionally to throw off an investigator, but the Microsoft rules that govern how and when metadata is created and updated over time can generate some puzzling and even inexplicable results. This chapter will focus on defining some of the specific issues encountered when analyzing Microsoft Office metadata, the most common file types forensic investigators encounter. This chapter explores some of the risks associated with analyzing metadata and the challenges of drawing reliable conclusions from such analysis. But metadata is also easy to misinterpret-or just miss altogether. Parsing the SttbSavedBy structure reveals the save history of the document, also known as Word last 10 authors metadata.Metadata is often incredibly useful to a forensic investigator, helping to establish the “who, what, where and how” of computer-based activity. The SttbSavedBy structure is a string table (STTB structure) which contains string pairs indicating the name of the author who saved the document and the path and name of the saved file.
Depending on the value of the fWhichTblStm bit, the 0Table or 1Table Stream is read and the SttbSavedBy structure is extracted using the fcSttbSavedBy and lcbSttbSavedBy values. The fcSttbSavedBy and lcbSttbSavedBy values specify the offset in the Table Stream where the SttbSavedBy structure - containing the save history of the file - is located and the size of the SttbSavedBy structure, while the fWhichTblStm bit indicates the Table Stream the FIB is referring to. The following two Microsoft documents outline the Compound File Binary File Format as well as the Word Binary File Format.īriefly, extracting the Word last 10 authors metadata requires locating the File Information Block (FIB) and reading the fcSttbSavedBy, lcbSttbSavedBy and fWhichTblStm values. Word Documents containing Word Last 10 Authors Metadata are Object Linking and Embedding (OLE) compound files as specified by the Microsoft Compound File Binary File Format (CFB). On the other hand, such information can be a gold mine for a computer forensics expert. Smith’s posts on the Blair Document and Microsoft’s 1999 Annual Report-original links appear to be dead at this point).
The following is an example of what may be found in the Word last 10 authors metadata (labels and numbers added for clarity, test data used for demonstrative purposes):ġ – Author: johnd Path: D:\Documents and Settings\mdd.LAB\Desktop\Sample_v2.docĢ – Author: johnd Path: D:\DOCUME~1\mdd.LAB\LOCALS~1\Temp\AutoRecovery save of Sample_v2.asdģ – Author: johnd Path: D:\Documents and Settings\mdd.LAB\Desktop\Sample_v2.docĤ – Author: johnd Path: D:\Documents and Settings\mdd.LAB\Desktop\Sample_v2.docĥ – Author: jdoe Path: C:\WINDOWS\DESKTOP\Sample_v2.docĦ – Author: jdoe Path: C:\WINDOWS\DESKTOP\Sample_v3.docħ – Author: jdoe Path: C:\WINDOWS\DESKTOP\Sample_v3.docĨ – Author: jdoe Path: C:\WINDOWS\DESKTOP\Sample_v3.docĩ – Author: jdoe Path: C:\WINDOWS\DESKTOP\Sample_v3.docġ0 – Author: jwhite Path: C:\WINDOWS\DESKTOP\Sample_v3.docĪs you can imagine, sending out a document with such a revision log can sometimes be problematic (see Richard M. This information is not displayed to the end user through the Microsoft Word user interface, and according to the Microsoft Support website, this is an automatic feature that cannot be disabled (see WD97: How to Minimize Metadata in Microsoft Word Documents ). What is Word Last 10 Authors?Ĭertain versions of Microsoft Word such as Word 8.0 (Word 97) through Word 10.0 (Word 2002) store the names of the last 10 people who edited the document as well as the file locations.
Microsoft excel metadata software#
While e-Discovery and computer forensics software can handle extracting and displaying most of the metadata, I found that a crucial piece of information is usually not extracted: Microsoft Word last 10 authors - also known as Word save history. Microsoft Office documents typically contain a great amount of metadata, some of which can be instrumental in computer forensics.
0 kommentar(er)
