Whether you are a computer forensics examiner or a litigation support professional you should be aware of the hidden information inside Microsoft Word documents. Metadata is hidden data which reveals when a document was created, saved, printed, last 10 authors/locations and several other characteristics.
Since files are potential evidence and the timeline of events as well as what happen to the evidence is important it is easy to understand how metadata can help win or lose a case depending on whether or not the files belong to your client and what they contain.
All Microsoft Office documents contain metadata and there are dozens of other file types which also store valuable information about the file. These topics will be covered in a different article.
In a legal case many think of emails when referring to metadata. Often the fields (i.e. 'To', 'CC', 'From', 'Date Sent' etc.) are referred to as metadata. Actually, these are database fields as oppose to the hidden information in files.
In addtion to Microsoft office Word metadata there is file system metadata. File system metadata is stored outside of the Microsoft Word.
File system metadata is stored in the File Allocation Table (FAT). When viewing files in Windows Explorer the dates, times, size of the file is the file system metadata.
Spoliation in a legal case often refers to files where the file system metadata has been altered during the copy process.
When collecting files from a custodian machine during a document production it is important to preserve all aspects of the original file. Unfortunatley, simply copying files in Windows will alter file timestamps and metadata. Pinpoint Labs created a program called SafeCopy that allows users to copy files to a new location without altering metadata.
The following list represents a collection of the hidden information in a Microsoft Word document:
MICROSOFT WORD METADATA FIELDS- Last Saved By, Word Count, Page Count, Paragraph Count, Line Count, Character Count, Chars, Byte Count, Presentation Format, Slide CountNote Count, Hidden Slides, Multimedia Clips, Last 10 Authors, Routing SlipTrack Changes, Fast Saves, Hidden text, Graphics Hyperlinks, Document Variables, Include Fields, File Name, Title, Author, Comments, App Name, Version Date, Created Date, Last Printed, Date Last Saved, Total Edit Time, Template, Shared, Subject, Category, Company, Keywords, Manager.
Pinpoint Labs developed a free tool called Metaviewer which displays both the file system metadata and internal metadata for several file types. Metaviewer also calculates hash values for MD5, SHA-1 and SHA-256. Metaviewer is a great tool for forensic examiners and litigation support professionals. You can download a free copy of Metaviewer from Pinpoint Labs website.
By: Jon Rowe.