Digital forensics has evolved from the examination of computers, storage and documents to the analysis of data from the Internet, smartphones and networks. This evolution has greatly expanded the scope of the forensic investigator’s responsibilities, not narrowed it.
Analyzing documents to prove their authenticity has been one of the cornerstones of computer forensics and is still an important part of the investigative process to this day. Whether you’re investigating documents in a fraud case, an IP theft, or from a malware/phishing intrusion, proper document analysis is essential to help uncover the truth in many investigations.
Most documents have two primary sources of evidentiary value to examiners depending on the investigation: the content of the document itself, and the metadata around the creation and modification of the file. Analyzing the content of a given document is relatively straightforward and very dependent on the case you’re investigating. For example, the content of an Excel spreadsheet containing financial records would be far more valuable to investigate for a potential fraud case, versus a malware or phishing investigation, where the focus would be around searching for malicious scripts or links. The biggest challenge will be to recover any deleted documents from unallocated space, as sometimes the files are fragmented and/or overwritten, which means the full content of a document may not be recovered.
More often than not, the metadata around a particular document can be just as important, if not more, than the contents of the file itself. Details around when the file was created, last edited – and by whom – can be quite valuable for an investigator trying to determine the authenticity of a document, or to verify its contents. The metadata included with a document depends on the individual document being analyzed. Typically you’ll find the MAC times for the file, as well as the created and last edited time for the document, which is often more accurate than the MAC times; this is especially true if it was shared between computers and drives. The original author and last person to edit the document are also included, along with the document title when available.
New to Internet Evidence Finder v6.4 is the ability to recover and analyze documents found on a suspect’s PC. Available with the OS & Business Apps module, IEF is now able to recover Microsoft Office documents including Excel, PowerPoint, Word and PDF documents.
IEF will now parse out DOC, DOCX, XLS, XLSX, PPT, PPTX and PDF files from any evidence that is analyzed on PCs and mobile devices. It will also attempt to carve out full or partial documents that have been deleted or reside in unallocated space.
As previously mentioned, how IEF reports the metadata greatly depends on the type of document being analyzed. IEF will organize all the recovered details into sortable columns as shown below:
The first three timestamps are the MAC times for the file itself, whereas the later timestamps (Created Time, Last Modified Time and Last Printed Time for PPTX files) come from the metadata stored in the document. Any additional metadata is stored in columns, which makes it easy for an investigator to search and organize.
Viewing the content of a document in IEF is straightforward. In the details window you are given the option to display either the details from the column table, or the content of the document by clicking “View”:
The content is rendered for the investigator from within the IEF Report Viewer as a preview.
If you would like analyze the document further in its native viewer, it can easily be exported by right clicking on the artifact and selecting “Export to Files.” Once exported, the document can be viewed with any viewer installed on the examination machine that handles those file types.
Document analysis is a common task for forensic examiners. In adding this feature to IEF, we’ve strived to ensure that investigators experience the same ease of use with document analysis that they already experience with IEF Internet analysis.
Here are some other resources worth taking a look at:
- Blog: Finding and Analyzing Email with IEF
- More Information about IEF
- Webcast: Attend an IEF Demo
- Try it:
- New to IEF – Request a 30 day trial of IEF
- Current IEF Customers - Get a 30 day trial of Business Applications and OS Artifacts Module
As always, please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.
Jamie McQuaid
Forensics Consultant, Magnet Forensics
