Sample Practical Exercise Answers


 

    Demo 1 is a simple practical exercise that simulates a common issue regarding authenticating documents that a forensic examiner may encounter.  It is based on actual cases where testimony was provided.


    The examination disclosed that the "C.doc" had been backdated and the examiner was willing to testify to that effect.

    Actions, Results and Conclusions:


    The first thing noted was that the Volume Label "DEMO-1" was created 9/28/02 at 5:46PM.   There were 4 MS Word documents located on the diskette.  They were:


                     Last Accessed       Last Written           Created 
    "A.doc"   10-01-02                9-28-02 4:54 PM      10-01-02 5:15:02 PM
    "B.doc"   10-01-02                9-29-02 4:54 PM      10-01-02 5:14:58 PM 
    "C.doc"   10-01-02                8-28-02 5:06 PM      10-01-02 5:15:00 PM
    "D.doc"   10-01-02                9-30-02 5:10 PM      10-01-02 5:14:56 PM



    First issue - since we only have a floppy diskette and not the computer where we could check the system clock for accuracy, how can we be sure that the system clock is not failing and providing bad or incorrect date information?  We are not going to give up our "secrets" here, but in our training course we cover methods that frequently work to establish the accuracy of the system clock, without examining the computer.  In this instance, the accuracy was established.

    One curious issue appears to be that the files were last accessed and created after they were last written to.  How could that be?   The directory entry dates are notoriously unreliable.  A trained examiner will know when to rely on these dates and when not to.  Again, we discuss date and time stamps during our training course.  Again in this instance, there is a verifiable explanation about why this occurred.

    The strongest indication on the authenticity of the "C.doc" is by examining the compound document (sometimes called "metadata") information contained within the document and not to rely solely on a single or more volatile indicators.  MS Word documents store a lot of information within the document that is not normally visible to a user.  One method to access this information is through the "Properties" tab on a document.  Using the "Properties" information and other software that goes deeper that the "properties" information, we were able to establish that "A.doc" was created as an original document on 9-28-02 at 4:52 PM and last saved at 4:54 PM.  We were able to establish that "B.doc" was a revision of "A.doc" created on 9-29-02 at 4:54 PM and saved at 4:54 PM.  We were able to establish that "C.doc" was a revision of "B.doc" and was backdated approximately 44,638 minutes to 8-28-02 at 5:04 PM. We were also able to establish that "D.doc" was a revision of the "B.doc" created and last saved on 9-30-02 at 5:10 PM. 

    Based upon the establishment of the system clock accuracy, the explanation for the Create/Accessed date being after the file was last written to, and the compound document data, we concluded that the "C.doc" file was backdated.  Did you reach the same conclusion with the same strong indicators?  If not, our training courses could teach you how.


     

     

    Contact Us