Whether you are a computer forensics examiner or a litigation support professional you should be aware of the hidden information inside Microsoft Word documents. Metadata is hidden data which reveals when a document was created, saved, printed, last 10 authors/locations and several other characteristics. It is easy to understand that during a computer forensic exam or the discovery phase of a litigation metadata can play an important role. Metadata can assist with an evidence timeline and identify those who touched the evidence. All Microsoft Office documents contain metadata and there are dozens of other file types which also store valuable information about the file. These topics will be covered in a different article. Many people think of emails when metadata is mentioned. It is important to note that the fields in an email (i.e. 'To', 'From', 'Subject' etc.) are actually database fields and not the same as the hidden information contained in other file types. WHAT IS FILE SYSTEM METADATA? - Before we discuss the internal metadata of Microsoft Office documents it is important to understand there is also file system metadata associated with Microsoft Office documents. File system metadata is independent of the Microsoft Office metadata and is stored in the FAT (File Allocation Table) which is similar to a table of contents for the operating system (i.e. .Microsoft Windows). When this data is altered through a copy process it is often referred to as 'spoliation' in a legal case. Spoliation can cause important evidence to be thrown out when it is argued the files were altered during collection. When collecting files from a custodian machine during a document production it is important to preserve all aspects of the original file. Unfortunatley, simply copying files in Windows will alter file timestamps and metadata. Pinpoint Labs created a program called SafeCopy that allows users to copy files to a new location without altering metadata. The folowing paragraph contains a list of the common metadata fields contained in a Microsof Word document. MICROSOFT WORD METADATA FIELDS - File Name, Title, Author, Comments, App Name, Version Date, Created Date, Last Printed, Date Last Saved, Total Edit Time, Template, Shared, Subject, Category, Company, Keywords, Manager, Last Saved By, Word Count, Page Count, Paragraph Count, Line Count, Character Count, Chars, Byte Count, Presentation Format, Slide Count, Note Count, Hidden Slides, Multimedia Clips, Last 10 Authors, Routing Slip, Track Changes, Fast Saves, Hidden text, Graphics, Hyperlinks, Document Variables, Include Fields. Pinpoint Labs developed a free tool called Metaviewer which displays both the file system metadata and internal metadata for several file types. Metaviewer also calculates hash values for MD5, SHA-1 and SHA-256. Metaviewer is a great tool for forensic examiners and litigation support professionals. You can download a free copy of Metaviewer from Pinpoint Labs website.
Article Source: http://www.christiannotepad.com
About the author: Jon Rowe is the President of Pinpoint Labs and a Certified Computer Examiner. To learn more about Pinpoint Labs click herePinpoint Labs Website - Computer Forensics Software and Services Don't reprint this article. Instead, reprint a free unique content version of this same article.
Watch Videos
Copy Right © 2006 christiannotepad.com All Right Reserved Use of our service is protected by our Privacy Policy and Terms of Service Subscribe Feed Contact Us
