Microsoft Word MetaData Forensics Tutorial
By SodaPopinsky

Credit-
nihil
This site http://www.computerbytesman.com/privacy/blair.htm

Attached is a zip file containing these doc’s necessary to complete this tutorial

Metadata is data held by a file that contains information that is used by the program that made it. That’s not an official definition, that’s my definition. What this tutorial will do is show you one way to extract information that may prove useful to an investigation or whatever. What makes this tutorial so damn cool, is that I’ll be using doc’s from a government about WMD in Iraq, that was released to the public. Reporters used metadata to see who had access to this file, and who edited it, and someone got it trouble because of it. Lets get started…

Download the zip, extract its contents. Open blair.doc with notepad, or other non rich text format text editor. You should see a bunch of nonsense, crap characters. In order to make this into a more readable text, you can use notepads find / replace tool. Tell it to find spaces and replace them with nothing. Mess around with it and it will clean up. It will probably me faster to manually delete the large white spaces.

Near the bottom, you should start to see some file paths. This is what we are going to cover. In Tut2.txt, I provided a clean version of the meta. In tut3.txt, I deleted the crap around the file paths, and you can see whats important. In tut4.txt, I cleaned it up to a very readable format. So quick summary:

Open .doc with nonrich text editor
Clean up text
Find intresting info
Clean up more
Organize and investigate

So what do we have? Here are the file paths…

cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysaveofIraq-security.asd
JPratt C:\TEMP\Iraq-security.doc
JPratt A:\Iraq-security.doc
ablackshaw C:\ABlackshaw\Iraq-security.doc
ablackshaw C:\ABlackshaw\A;Iraq-security.doc
ablackshaw A:\Iraq-security.doc
MKhan C:\TEMP\Iraq-security.doc
MKhan C:\WINNT\Profiles\mkhan\Desktop\Iraq.doc

What we have are a bunch of usernames, and paths. These paths represent where the users saved this document. So what does this mean???
These users all had access to the file. This is a trail. All these names took part in making this file. You can even see that ablackshaw transferred the file on a floppy disk, and MKahn uses WINNT. Turns out these people are:

Paul Hamill - Foreign Office official
John Pratt - Downing Street official
Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
Murtaza Khan - Junior press officer for the Prime Minister

Just to let you know, this was a very important .doc that I attached. I got it from the site linked above.
Quote from the site-

Microsoft Word documents are notorious for containing private information in file headers which people would sometimes rather not share. The British government of Tony Blair just learned this lesson the hard way.
Back in February 2003, 10 Downing Street published a dossier on Iraq's security and intelligence organizations. This dossier was cited by Colin Powell in his address to the United Nations the same month. Dr. Glen Rangwala, a lecturer in politics at Cambridge University, quickly discovered that much of the material in the dossier was actually plagiarized from a U.S. researcher on Iraq.
Back in February, I passed along these 4 names to Dr. Rangwala who then provided them to a number of reports in the UK. One reporter quickly identified the four individuals as:
Paul Hamill - Foreign Office official
John Pratt - Downing Street official
Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
Murtaza Khan - Junior press officer for the Prime Minister

During the week of June 23, 2003, the British Parliament held hearings of the Blair Dossier and other PR efforts by the UK Government leading up to the Iraq war. Alastair Campbell of the UK Communications Information Centre was put in the hot seat and had to explain the dossier plagiarism and details of the revision log.
Thats a different tutorial, huh? It’s almost like you got Alastair Campbell in trouble yourself.

Lesson:
Metadata in Word documents. They can be used to prove something, or altered to hide something. As long as you know its there, then you have the potential to use it for good.

Thanks to-
nihil and http://www.computerbytesman.com/privacy/blair.htm

Hope you had fun
Soda