As a Forensic Investigator it is crucial that any investigation of a case is thorough and done to the best of an individual’s ability. In the interest of time there can be a temptation to delve deep enough to find the required evidence, report it, then move on to the next case. People may, in fact, be under very real pressure to do this. Sometimes doing such things can cause problems for a case in the future when another expert potentially reviews and comments on your own findings.
Imagine the following scenario as a forensic investigator. You are handed a case brief and a computer hard drive to examine. The case brief informs you that Bill, the owner of the computer, is suspected of using the computer to create fraudulent documents for their own financial benefit. The alleged offence took place between May and July. You image the disk, load the disk image into your preferred forensic software and begin your examination.
Initial searches uncover a large number of Microsoft Word documents. You open these documents and discover that they do, indeed, contain a number of fraudulent documents. You discover that the documents have been created over the period of two months and that they have been accessed by a the Windows user named ‘Bill’ on the computer. Well, there you have it. Guilty? Innocent? However it looks on the surface, if you dig a little deeper you could see things very differently.
You discover that the NTUSER.DAT registry hive for the user ‘Bill’ shows Microsoft Office to have been used and registered by this same user. When the software was first run he specified the user name ‘Bill’ and the initials ‘BT’. You also find that Microsoft Office was installed on the computer three months earlier.
Whilst a lot of people are aware that this and more information is stored by Microsoft Office, they may not be aware of how this can potentially swing a case. This information, as well as much more, is embedded into every Microsoft Word document by default.
When a document is created by the user selecting ‘New’ from the Office menu or the File menu Microsoft immediately records the time and date as a ‘Create Date’ for that document. Regardless of what happens to that original document or where it is copied to, this date and time remains the same. In addition to this the above user name and initials are also stored in this document as ‘Author’ details even before it is saved by the user. When the document is first saved a ‘Last Revised Date’ record is created, and a ‘Last Saved By’ field stores the current Microsoft Word user. This information is updated every time a document is saved, but ‘Author’ data remains the same. When a file is printed a ‘Last Print’ date and time is recorded. Depending on the version of Microsoft Office you may occasionally find the make and model of the printer used in plain text. This can be useful in determining whether a document was printed form a certain place.
You may know this already or wonder why this is relevant. Take the following examples.
A document has an NTFS creation date of 30th July 2009 but a Microsoft Word ‘Create Date’ of 12th February 2009. The Author and ‘Last Saved’ fields show ‘Ted’. The ‘Last Revised Date’ and ‘Last Print Date’ for the document both showed 13th February. What does this information tell us about a document saved on the hard drive of Bill’s computer? It tells us that maybe he didn’t put it there.
Another document has a Word ‘Create Date’ showing some time after the creation date saved by the NTFS file system and the ‘Last Print Date’ recorded by Microsoft Word. This shows that another document has been saved over an existing document. As a result it is not possible to determine exactly what was printed. The document as it exists now is likely not the document that was ever printed.
A further document has a ‘Create Date’ of 1st March 2009 but a ‘Last Revised Date’ 24th February 2009 and ‘Last Printed Date’ of 22nd February 2009. How can this happen? The document was likely created from an existing older document that has previously been printed, and had inherited a number of its properties.
It is of course possible for a user to modify their user name. An investigator would then have to determine the likelihood of a user having sufficient knowledge to make such changes. This can be determined by seeing what programs have been installed and used, where the user has saved files, and whether there is anything hinting at a more experienced user (I have seen computers with more than one anti-virus program running permanently. This could be the result of paranoia or a less than full understanding of how such programs work).
Now imagine having done a computer investigation having not looked for this information. An expert hired by the defence team then examines your findings and the disk images and finds this information. All of a sudden doubt can be cast over your work, which previously appeared to be quite convincing. The fact that you missed this information doesn’t help your own reputation.
I have had cases where apparent guilt was turned on its head as a result of investigating Microsoft Office embedded data. I have seen documents created before they existed on a suspect’s computer. I have seen documents printed before they were created or edited by Microsoft Word.
This information can potentially confuse an investigation. It can make or break a case and determine whether someone has been the perpetrator of a crime or not.
Testing of this is easy and of extreme importance. I would recommend that any forensic investigator take a few minutes to test embedded Microsoft Office data. Only then can you say with any authority that dates and times show in a specific order because of specific events. This embedded data can make all the difference to your investigation, and looking a little bit closer can provide a more complete picture, whatever that complete picture shows.