If given .docx and .pdf files without underlying access to the filesystem created on, (hfs) is it possible to detect forged timestamps, or anything within the file itself that would give an indication?
Thank you.
If given .docx and .pdf files without underlying access to the filesystem created on, (hfs) is it possible to detect forged timestamps, or anything within the file itself that would give an indication?
Thank you.
Yes. When examining a file in isolation, one would focus on inconsistencies within the file such as problems with timestamp resolution, conflicting timestamps from different areas of the file, internal metadata & structures that do not agree with the apparent date of the document, etc.
It is hard to be conclusive and tell the whole story by examining the file only, but there is still a lot of value there. I suspect that many investigations start this way, and open up once the identified red flags are leveraged to get broader access. It would be great to start an investigation with forensic images of all systems that touched the file, but that’s rarely the case in my experience
Thank you, what software can be used to do this? Specifically timestamp resolution.
Would changing the system clock when producing said file get around the resolution issue?
Timestamp resolution issues typically revolve around discrepancies between timestamps altered via external tools or manually, and timestamps that would have been recorded by the apparent creator/modifier application. So, producing the file with the apparent application on a system with a modified clock should work around resolution issues. That said, it can introduce other discrepancies.
As far as tools go, I would recommend low-level tools. For instance, hex editor, SSView, OffVis, etc. if you were examining a file in compound file binary format.
Would you be able to expand on the other discrepancies that might be introduced?
Here is a simple and famous example:
This is an obvious discrepancy that could be detected visually, even in a printed document.
On the other hand, a complex file type, such as a file in Compound File Binary Format, records numerous data points that would be in agreement with each other in a legitimate document. If a suspect backdates their system and modifies such a document while the rest of their system (e.g., OS, fonts, editing application version, etc.) is not time correct, they can introduce such data points into the document that do not jibe with the apparent date of the forged document.
You can find a brief overview of what some of these data points look like in a Word document here:
Word Forensic Analysis and Compound File Binary Format – Meridian Discovery
__
Here is some further reading regarding the relevant Microsoft data structures for anyone interested:
[MS-DOC]: Word (.doc) Binary File Format | Microsoft Learn
[MS-XLS]: Excel Binary File Format (.xls) Structure | Microsoft Learn
[MS-OSHARED]: Office Common Data Types and Objects Structures | Microsoft Learn
[MS-CFB]: Compound File Binary File Format | Microsoft Learn
[MS-OLEPS]: Object Linking and Embedding (OLE) Property Set Data Structures | Microsoft Learn