Computer Investigations Computer Forensics Expert
Call for free initial advice - 01869 325667 
Home
Services
Products
Resources
Case Studies
About Us

Sanderson Foreniscs were contacted by a forensic company to provide a second opinion regarding the provenance of a Microsoft Word document that was central to a multi million pound civil action.

In summary the salient points in the case were:

  • Company A claimed to have sent a fax to company B in March to renew a contract

  • Company B claimed not to have received it

  • Company A had instructed company C (a forensic company) to examine the computer from which the fax was sent

  • Company C had examined computer and the Word ‘Meta Data’ and declared that the fax was genuine

  • Company A started litigation started based on this examination

  • Sanderson Forensics were instructed to examine the computer on behalf of company C and provide a second opinion.


    • Sanderson Forensics were provided with a full forensic image of the computer hard disk drive and proceeded to examine the data. On initial examination the Word document appeared to be genuine. The meta data, the dates and times embedded within the document itself matched the dates and times maintained by the operating system, Microsoft Windows.

    This match of the obvious data is what had led company C to declare that the provenance of the document was not in doubt, and would normally be the end of most forensic investigations.

    At Sanderson Forensics we looked deeper.

    A keyword search for the document by file name resulted in a numerous ‘hits’ on file names that matched the name of the original fax, some of these search hits were in a file called offitems.log. Investigation revealed that some binary data near the file name appeared to be digitally encoded dates. Further research showed that this file maintained the Microsoft Office Journal – a log maintained by Microsoft outlook that records when various Microsoft Office files (including Word documents) are opened and closed.

    The content of this file was in a format that was not known to the forensic community. We reverse engineered the internal file format of the offitems.log file and wrote a program to decode the data and present it in tabular form.

    The offitems file contained a listing of the last 500 Microsoft office objects (word documents, excel spreadsheets and Outlook email) that had been opened on the computer along with the date and time that the files had been opened and closed.

    The data for all of the entries in the table that were not relevant to the investigation all seemed to make sense, i.e a document would be opened at say 1030 in the morning and closed say 20 minutes later. In relation to the fax that we were investigating the dates and times that were recorded often made no sense and in one instance the fax appeared to have been opened some 30 days after it was closed. The first of these dates (the date the fax was saved) was in March.

    Although it was not possible to say the fax was created in April and the computer clock adjusted to make it appear that the fax was created in March – this scenario would explain the discrepancy. Clearly the document could not be relied upon.

    Litigation ceased on production of our report.

    Computer Forensic Examination
       
     

    © 2008 Sanderson Forensics Ltd - Computer Forensics Investigations