Results 1 to 6 of 6

Thread: Microsoft Metadata forensics

  1. #1

    Microsoft Metadata forensics

    Microsoft Word MetaData Forensics Tutorial
    By SodaPopinsky

    This site

    Attached is a zip file containing these doc’s necessary to complete this tutorial

    Metadata is data held by a file that contains information that is used by the program that made it. That’s not an official definition, that’s my definition. What this tutorial will do is show you one way to extract information that may prove useful to an investigation or whatever. What makes this tutorial so damn cool, is that I’ll be using doc’s from a government about WMD in Iraq, that was released to the public. Reporters used metadata to see who had access to this file, and who edited it, and someone got it trouble because of it. Lets get started…

    Download the zip, extract its contents. Open blair.doc with notepad, or other non rich text format text editor. You should see a bunch of nonsense, crap characters. In order to make this into a more readable text, you can use notepads find / replace tool. Tell it to find spaces and replace them with nothing. Mess around with it and it will clean up. It will probably me faster to manually delete the large white spaces.

    Near the bottom, you should start to see some file paths. This is what we are going to cover. In Tut2.txt, I provided a clean version of the meta. In tut3.txt, I deleted the crap around the file paths, and you can see whats important. In tut4.txt, I cleaned it up to a very readable format. So quick summary:

    Open .doc with nonrich text editor
    Clean up text
    Find intresting info
    Clean up more
    Organize and investigate

    So what do we have? Here are the file paths…

    cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
    cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
    cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
    JPratt C:\TEMP\Iraq-security.doc
    JPratt A:\Iraq-security.doc
    ablackshaw C:\ABlackshaw\Iraq-security.doc
    ablackshaw C:\ABlackshaw\A;Iraq-security.doc
    ablackshaw A:\Iraq-security.doc
    MKhan C:\TEMP\Iraq-security.doc
    MKhan C:\WINNT\Profiles\mkhan\Desktop\Iraq.doc

    What we have are a bunch of usernames, and paths. These paths represent where the users saved this document. So what does this mean???
    These users all had access to the file. This is a trail. All these names took part in making this file. You can even see that ablackshaw transferred the file on a floppy disk, and MKahn uses WINNT. Turns out these people are:

    Paul Hamill - Foreign Office official
    John Pratt - Downing Street official
    Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
    Murtaza Khan - Junior press officer for the Prime Minister

    Just to let you know, this was a very important .doc that I attached. I got it from the site linked above.
    Quote from the site-

    Microsoft Word documents are notorious for containing private information in file headers which people would sometimes rather not share. The British government of Tony Blair just learned this lesson the hard way.
    Back in February 2003, 10 Downing Street published a dossier on Iraq's security and intelligence organizations. This dossier was cited by Colin Powell in his address to the United Nations the same month. Dr. Glen Rangwala, a lecturer in politics at Cambridge University, quickly discovered that much of the material in the dossier was actually plagiarized from a U.S. researcher on Iraq.
    Back in February, I passed along these 4 names to Dr. Rangwala who then provided them to a number of reports in the UK. One reporter quickly identified the four individuals as:
    Paul Hamill - Foreign Office official
    John Pratt - Downing Street official
    Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
    Murtaza Khan - Junior press officer for the Prime Minister

    During the week of June 23, 2003, the British Parliament held hearings of the Blair Dossier and other PR efforts by the UK Government leading up to the Iraq war. Alastair Campbell of the UK Communications Information Centre was put in the hot seat and had to explain the dossier plagiarism and details of the revision log.
    Thats a different tutorial, huh? It’s almost like you got Alastair Campbell in trouble yourself.

    Metadata in Word documents. They can be used to prove something, or altered to hide something. As long as you know its there, then you have the potential to use it for good.

    Thanks to-
    nihil and

    Hope you had fun

  2. #2
    By the way, I would like to see what else can be pulled from the metadata if anyone knows something.

    And corrections welcome. I don't deny that I'm a dumbass.

    Time to watch Reservoir Dogs.

  3. #3
    Elite Hacker
    Join Date
    Mar 2003
    Great post Soda-Popinsky, thanks for sharing

  4. #4
    Senior Member
    Join Date
    Feb 2004
    This was a fascinating read. Thank you.

  5. #5
    Good tut Soda.

    If you didn't see this, Microsoft released a metadata cleaning tool, although it only works for Office 2003 of which many people havent upgraded to yet...including us. Gee, thanks Microsoft Would have been nice if they supported Office 2000 but that would go against the make-more-money initiative by dribbling out minor upgrades.

    Tool is located at

  6. #6
    Junior Member
    Join Date
    May 2004
    Nice post.

    I would be interested in knowing how the persons who were involved in revisions can be viewed, and how Word arrives at a last time printed date and time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts