Microsoft Office document forensics, original author?
August 2, 2012 10:54 AM Subscribe
Microsoft Office forensics: Is there any way to discover the true original creator (or pinpoint a machine or login, maybe) of a Microsoft Office 2007 document after it's been moved around and edited--AND the author field under the document's properties within Office was only listed as "Generic"?
Describe your environment. Are you using active directory? Are you able to access remotely all the PC in your domain/workgroup? Are you using Windows 7 with document recovery turned on?
And how was the file moved? Do you suspect it was moved by the owner? If so you could check the security permissions on the file and navigate to the owner tab.
posted by samsara at 1:37 PM on August 2, 2012
And how was the file moved? Do you suspect it was moved by the owner? If so you could check the security permissions on the file and navigate to the owner tab.
posted by samsara at 1:37 PM on August 2, 2012
Response by poster: Windows XP Pro, and we think the document originated from one laptop that has since been sent to another (unknown) user.
Basically, the original author A created the XLS on laptop Y and sent copies via Outlook email to employee B, who saved it to laptop Z, which is still in our possession, but laptop Y has gone elsewhere in the company and we don't know where (would that be useful to track down?).
Employee B has claimed authorship of the document, while A claims otherwise. The "author" field in MS Office is useless because it can be changed. When I look at the basic metadata columns in Windows Explorer for this file, I don't understand the difference between "owner" and "author"--the author" is listed incorrectly as "Generic" and the owner is listed as employee B, which doesn't jive with our understanding of the situation.
I'll look into the VBA if we must... TIA
posted by Ky at 1:52 PM on August 2, 2012
Basically, the original author A created the XLS on laptop Y and sent copies via Outlook email to employee B, who saved it to laptop Z, which is still in our possession, but laptop Y has gone elsewhere in the company and we don't know where (would that be useful to track down?).
Employee B has claimed authorship of the document, while A claims otherwise. The "author" field in MS Office is useless because it can be changed. When I look at the basic metadata columns in Windows Explorer for this file, I don't understand the difference between "owner" and "author"--the author" is listed incorrectly as "Generic" and the owner is listed as employee B, which doesn't jive with our understanding of the situation.
I'll look into the VBA if we must... TIA
posted by Ky at 1:52 PM on August 2, 2012
Response by poster: So I found a copy of the file in question on B's laptop hard drive listing B as the 'owner' and 'Generic' as the author (useless). Then I found a copy on our server that lists A as the owner and 'Generic' as the author. Hmm.
posted by Ky at 2:15 PM on August 2, 2012
posted by Ky at 2:15 PM on August 2, 2012
can you check your email server to confirm that A did indeed email a copy of the document to B on whatever date? would that disprove B's version of events?
posted by russm at 3:02 PM on August 2, 2012
posted by russm at 3:02 PM on August 2, 2012
Response by poster: Unfortunately the exchange happened last year and any stored emails since then would have been purged. We're hoping IT might have dated backups so are also pursuing that avenue. Sheesh! You can't trust anyone these days.
posted by Ky at 3:04 PM on August 2, 2012
posted by Ky at 3:04 PM on August 2, 2012
I don't know Windows, but I'm guessing that "Owner" is the last person to have edited the file. if that's the case, what are the created and last-modified time stamps on the server file with A as the owner?
posted by russm at 3:59 PM on August 2, 2012
posted by russm at 3:59 PM on August 2, 2012
Another tack, though not at all conclusive, would be to have the parties recreate the spreadsheet from memory. There are a lot of ways people leave their stamp on things. Maybe there's some formula that A would write one way and B another. Little things like that can add up.
posted by ifandonlyif at 4:47 PM on August 2, 2012
posted by ifandonlyif at 4:47 PM on August 2, 2012
Response by poster: The created time stamp is inconclusive, unfortunately, because I think copying/moving the file to a new drive alters the created date, and the created date would be most useful from A's old laptop (Y) which is no longer in our possession; even if we did hunt it down to a new user, A may have wiped it prior to returning it to IT anyway. But we may still try this avenue if absolutely all else fails and it turns out we really need the information.
Well, we might be able to dig up something more without Y since we found old PST and OST files on Z that appear to be created/edited during the relevant dates. An Outlook .msg would be the smoking gun.
I just wish there were better ways to pin down digital forensics in cases like this.
Let this be a lesson: You may trust your coworkers, but keep records of everything you do anyway.
posted by Ky at 9:29 PM on August 2, 2012
Well, we might be able to dig up something more without Y since we found old PST and OST files on Z that appear to be created/edited during the relevant dates. An Outlook .msg would be the smoking gun.
I just wish there were better ways to pin down digital forensics in cases like this.
Let this be a lesson: You may trust your coworkers, but keep records of everything you do anyway.
posted by Ky at 9:29 PM on August 2, 2012
Response by poster: (Oh, and I doubt anyone could recreate the spreadsheet, as it's used to store data in thousands of rows/columns. It's an interesting idea, though, especially if it were a formulaic sheet.)
posted by Ky at 9:30 PM on August 2, 2012
posted by Ky at 9:30 PM on August 2, 2012
« Older Maintaining resolution of graphics in Microsoft... | The Best of Contemporary Literary Characters Newer »
This thread is closed to new comments.
If you need to know how to get started with VBA, there are lots of instructions out there like this one for 2010.
posted by beyond_pink at 11:03 AM on August 2, 2012