-
March 7th, 2004, 06:26 AM
#1
Microsoft Metadata forensics
Microsoft Word MetaData Forensics Tutorial
By SodaPopinsky
Credit-
nihil
This site http://www.computerbytesman.com/privacy/blair.htm
Attached is a zip file containing these doc’s necessary to complete this tutorial
Metadata is data held by a file that contains information that is used by the program that made it. That’s not an official definition, that’s my definition. What this tutorial will do is show you one way to extract information that may prove useful to an investigation or whatever. What makes this tutorial so damn cool, is that I’ll be using doc’s from a government about WMD in Iraq, that was released to the public. Reporters used metadata to see who had access to this file, and who edited it, and someone got it trouble because of it. Lets get started…
Download the zip, extract its contents. Open blair.doc with notepad, or other non rich text format text editor. You should see a bunch of nonsense, crap characters. In order to make this into a more readable text, you can use notepads find / replace tool. Tell it to find spaces and replace them with nothing. Mess around with it and it will clean up. It will probably me faster to manually delete the large white spaces.
Near the bottom, you should start to see some file paths. This is what we are going to cover. In Tut2.txt, I provided a clean version of the meta. In tut3.txt, I deleted the crap around the file paths, and you can see whats important. In tut4.txt, I cleaned it up to a very readable format. So quick summary:
Open .doc with nonrich text editor
Clean up text
Find intresting info
Clean up more
Organize and investigate
So what do we have? Here are the file paths…
cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
JPratt C:\TEMP\Iraq-security.doc
JPratt A:\Iraq-security.doc
ablackshaw C:\ABlackshaw\Iraq-security.doc
ablackshaw C:\ABlackshaw\A;Iraq-security.doc
ablackshaw A:\Iraq-security.doc
MKhan C:\TEMP\Iraq-security.doc
MKhan C:\WINNT\Profiles\mkhan\Desktop\Iraq.doc
What we have are a bunch of usernames, and paths. These paths represent where the users saved this document. So what does this mean???
These users all had access to the file. This is a trail. All these names took part in making this file. You can even see that ablackshaw transferred the file on a floppy disk, and MKahn uses WINNT. Turns out these people are:
Paul Hamill - Foreign Office official
John Pratt - Downing Street official
Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
Murtaza Khan - Junior press officer for the Prime Minister
Just to let you know, this was a very important .doc that I attached. I got it from the site linked above.
Quote from the site-
Microsoft Word documents are notorious for containing private information in file headers which people would sometimes rather not share. The British government of Tony Blair just learned this lesson the hard way.
Back in February 2003, 10 Downing Street published a dossier on Iraq's security and intelligence organizations. This dossier was cited by Colin Powell in his address to the United Nations the same month. Dr. Glen Rangwala, a lecturer in politics at Cambridge University, quickly discovered that much of the material in the dossier was actually plagiarized from a U.S. researcher on Iraq.
Back in February, I passed along these 4 names to Dr. Rangwala who then provided them to a number of reports in the UK. One reporter quickly identified the four individuals as:
Paul Hamill - Foreign Office official
John Pratt - Downing Street official
Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
Murtaza Khan - Junior press officer for the Prime Minister
During the week of June 23, 2003, the British Parliament held hearings of the Blair Dossier and other PR efforts by the UK Government leading up to the Iraq war. Alastair Campbell of the UK Communications Information Centre was put in the hot seat and had to explain the dossier plagiarism and details of the revision log.
Thats a different tutorial, huh? It’s almost like you got Alastair Campbell in trouble yourself.
Lesson:
Metadata in Word documents. They can be used to prove something, or altered to hide something. As long as you know its there, then you have the potential to use it for good.
Thanks to-
nihil and http://www.computerbytesman.com/privacy/blair.htm
Hope you had fun
Soda
-
March 7th, 2004, 06:27 AM
#2
By the way, I would like to see what else can be pulled from the metadata if anyone knows something.
And corrections welcome. I don't deny that I'm a dumbass.
Time to watch Reservoir Dogs.
-
March 8th, 2004, 07:57 PM
#3
Great post Soda-Popinsky, thanks for sharing
-
March 8th, 2004, 09:18 PM
#4
This was a fascinating read. Thank you.
-
March 9th, 2004, 12:06 AM
#5
Good tut Soda.
If you didn't see this, Microsoft released a metadata cleaning tool, although it only works for Office 2003 of which many people havent upgraded to yet...including us. Gee, thanks Microsoft Would have been nice if they supported Office 2000 but that would go against the make-more-money initiative by dribbling out minor upgrades.
Tool is located at http://www.microsoft.com/downloads/d...displaylang=en
-
May 14th, 2004, 02:05 AM
#6
Junior Member
Nice post.
I would be interested in knowing how the persons who were involved in revisions can be viewed, and how Word arrives at a last time printed date and time.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|