Time stamp forgery detection

If given .docx and .pdf files without underlying access to the filesystem created on, (hfs) is it possible to detect forged timestamps, or anything within the file itself that would give an indication?

Thank you.

Yes. When examining a file in isolation, one would focus on inconsistencies within the file such as problems with timestamp resolution, conflicting timestamps from different areas of the file, internal metadata & structures that do not agree with the apparent date of the document, etc.

It is hard to be conclusive and tell the whole story by examining the file only, but there is still a lot of value there. I suspect that many investigations start this way, and open up once the identified red flags are leveraged to get broader access. It would be great to start an investigation with forensic images of all systems that touched the file, but that’s rarely the case in my experience :man_shrugging:

1 Like

Thank you, what software can be used to do this? Specifically timestamp resolution.
Would changing the system clock when producing said file get around the resolution issue?

Timestamp resolution issues typically revolve around discrepancies between timestamps altered via external tools or manually, and timestamps that would have been recorded by the apparent creator/modifier application. So, producing the file with the apparent application on a system with a modified clock should work around resolution issues. That said, it can introduce other discrepancies.

As far as tools go, I would recommend low-level tools. For instance, hex editor, SSView, OffVis, etc. if you were examining a file in compound file binary format.