Notifications
Clear all

Meta Data

18 Posts
5 Users
0 Likes
1,346 Views
techmerlin
(@techmerlin)
Posts: 62
Trusted Member
Topic starter
 

Quick question, what are some reasons why an Excel Spreadsheet (.xls) would be showing the last modified date and time before the files created time in the files Meta Data.

Is it possible this file modified but not saved, or saved as a different file?

Thanks

 
Posted : 15/09/2005 12:35 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Is it possible this file modified but not saved, or saved as a different file?

Have you tried testing this out? You know, create an Excel spreadsheet, and then modify it without saving it, and saving it as a different file. Have you tried this?

As far as you initial question, I haven't seen anything like this before. I'll ask around.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 15/09/2005 12:44 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Some thoughts on why this sort of situation would occur…

If the spreadsheet had been created on another system, or the system time had been modified, this might have occurred.

Did you pull the rest of the metadata from the spreadsheet…like the last 10 authors?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 15/09/2005 12:52 am
techmerlin
(@techmerlin)
Posts: 62
Trusted Member
Topic starter
 

I did some testing after the post and here is what I came up with.

I created a spreadsheet on a machine with the current date and time. I then moved it to another machine I had modified the date to January 1 2003. I then checked the Meta Data and it showed today's date as it was on the original machine. I then modified the spreadsheet and saved it again, now what I had was a modified date of Jan 1 2003 and a created date September 14 2005.

So I guess it can be done, as for your comment on the last 10 authors, I am lost on that one, can you share your knowledge on how I could find the author 10 edits ago?

Thanks

 
Posted : 15/09/2005 6:04 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Sure…it's covered in my book, but the basics of it can be found here

http//www.computerbytesman.com/privacy/blair.htm

There's some info from MS here

http//office.microsoft.com/en-us/assistance/HA011400341033.aspx

Basically, the "last 10 authors" is part of the information stored in the document…the "document" referring to an OLE structured storage file like MS Office documents.

There's a script on the CD that comes with my book that pulls metadata from Word documents…minor modifications will allow you to get the same stuff from Excel spreadsheets.

I've also found that the tool Metadata Assistant works pretty well. Have you given that one a shot?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 15/09/2005 2:49 pm
techmerlin
(@techmerlin)
Posts: 62
Trusted Member
Topic starter
 

Harlan,

I came across your book late last night and look forward to reading it in the future. I read a post on a different site once about Metadata Assistant and it sounds good. Have any of these tools stood up in court?

Are there any other ones available that you know are reliable?

Thanks

 
Posted : 15/09/2005 6:59 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Reliable and standing up in court tend to be two separate issues.

Most of the tools I've seen will reliably pull the information from the file. You can also run strings.exe, looking specifically for Unicode strings, or FoundStone's BinText. Either way, you'll see the same information within the file as you see with Metadata Assistant and other tools.

As far as standing up in court, I can't say that I've seen where they've been questioned.

Why not focus on the process, rather than the specific tool? After all, if you can show that your process is sound, what does it matter which tool you use?

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 15/09/2005 8:35 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

You can use a hex viewer as well. There's a date/time converter available for free from digital detective.

 
Posted : 16/09/2005 12:57 am
sachin
(@sachin)
Posts: 28
Eminent Member
 

Please let me know the site for downloading Internet Activity Analyser "PASCO". Since i will be Installing it on Windows2K..are any special instructions to follow?

 
Posted : 16/09/2005 3:04 pm
(@jonathan)
Posts: 878
Prominent Member
 

Please let me know the site for downloading Internet Activity Analyser "PASCO". Since i will be Installing it on Windows2K..are any special instructions to follow?

There's a great new thing out there called "Google". It's a search engine!

Have you tried entering 'Internet Activity Analyser Pasco' into it?

 
Posted : 16/09/2005 4:45 pm
Page 1 / 2
Share: