File Header for Wor...
 
Notifications
Clear all

File Header for Word Documents - Dates & Times

9 Posts
5 Users
0 Likes
896 Views
novadonuk
(@novadonuk)
Posts: 26
Eminent Member
Topic starter
 

Hi,

Im looking into a possible email harrasement case. And the email seems to have been editied in a word package.
The question is, can I possibly extract the date from the file header or not? As this is the major point I need help with …

Look forward to receiving some feedback, Cheers.

ps, only have access to a DVD not HDD

 
Posted : 24/05/2006 2:11 pm
 samr
(@samr)
Posts: 119
Estimable Member
 

That is simply the file identifier which identifies the file as a Microsoft office/visio file that alone has no date or time information. Two things you could try

1) Look for the footer F4 39 B2 71 (00 00) and reconstruct the file simply examining the metadata contained.

2) If only a slither of information is still present then you may have to manually go through the hex looking for remaining metadata.

 
Posted : 24/05/2006 3:30 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Extract MetaData for the word document.

 
Posted : 24/05/2006 5:35 pm
novadonuk
(@novadonuk)
Posts: 26
Eminent Member
Topic starter
 

Can you explain how I interpret the metadata please? I am interested specifically in creation and modification dates for a raw file recovered during a header search. Is this data in a particular format, and if so where would I expect to see it, as part of the header, footer or somewhere else?

Regards

 
Posted : 24/05/2006 5:42 pm
 samr
(@samr)
Posts: 119
Estimable Member
 

Well the time stamps associated with files are slightly different, such information is held within the MFT (assuming NTFS). Assuming it's a file then you would need backtrack the location to the MFT.

In terms of metadata of word documents this includes creation date, last saved time, revision information etc. Something like Metadata Assistant should be able to help you easily interpret this.

 
Posted : 24/05/2006 5:58 pm
manuld
(@manuld)
Posts: 15
Active Member
 

Do you have the word document or the email message? What type of email package is it?

If you have the document try here

http//cert.uni-stuttgart.de/archive/bugtraq/2002/11/msg00206.html

 
Posted : 24/05/2006 8:17 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

I have used metadata asst. successfully in the past. The output is reader friendly.

Please note that there are also programs that support metadata removel. Hopefully that was not run on the doc.

 
Posted : 24/05/2006 10:01 pm
(@rkamens)
Posts: 36
Eminent Member
 

deleted

 
Posted : 25/05/2006 3:09 am
novadonuk
(@novadonuk)
Posts: 26
Eminent Member
Topic starter
 

Hey guys, and gals.

Thanks for ya help. eventually I was able to use a program called Catalogue Metadataminer, it interogated 10 files at a time, but there was only one that needed interrogating. Through extracting the information from the disk to a new word document, the metadata was still in tact and produced good results it seems.

So thanks again,

Cheers.

 
Posted : 16/06/2006 12:38 pm
Share: