By: Jon Rowe.
Computer forensic examinations and litigation support projects often rely on Microsoft Office file metadata. Metadata is information stored in a file that identifies key attributes of the file and can assist a computer forensic examiner and lawyers by establishing key findings in a case. It can assist with the timeline of events for a suspect.
The area of the file referred to as ‘Last 10 Authors’ is also called metadata, however, it isn’t contained in the same area or accessible through the same applications as the other metadata fields. The last 10 authors/locations information can greatly assist computer forensic examinations and electronic discovery projects, however, it is important to know which software tools can access and scrub the last 10 authors information.
Many computer examiners and attorneys have found out the hard way that last 10 authors isn’t normally extracted or displayed when using several popular computer forensic or electronic discovery processing software.
What is OLE stream metadata? OLE stream metadata is what is commonly viewed through a metadata viewer or sometimes extracted during electronic discovery and contain fields such as Title, Author, Date Last Printed, Date Last Saved etc. Because the last 10 authors is stored in a different location and not easily accessible this information isn’t normally extracted during the electronic discovery process.
Many attorneys are concerned when they realize the information that is contained in their clients files in the last 10 author area. They become even more concerned when they realize their scrubbing software didn’t eliminate the information in this area.
In a recent computer examination I was examining a USB drive which contained the current working files of the suspect. We were also provided access to a laptop which the suspect claimed was the only computer used in addition to the office computer.
We were a bit suspicious when we were told the laptop was used whenever the suspect wasn’t in the office. Our suspicions were a result of determining the laptop was 5 years old and contained partitions that included DOS and Windows 3.1.
When we reviewed the last 10 authors information on dozens of current working files located on the USB drive we were able to determine that none of the files were created or recently modified on the laptop. In fact, we were able to determine the employee had access to two other systems which had been used to edit the working files.
It is important to also understand that the last 10 authors data is not only captured when a user clicks ‘save’ but Microsoft Word’s autosave feature will intermintently save files and store the information in last 10 authors.
There are numerous examples of how the last 10 authors is used to win and defend cases. The savy attorneys and computer forensic examiners review this information when examinig their clients files or those produced by opposing counsel.
When selecting a vendor or software to scrub documents it is important to insure that the last 10 authors is removed during scrubbing. Not all vendors or software applications will identify and remove the last 10 authors data.
In summary, last 10 authors is referred to as metadata, however, it isn’t accessible through most computer forensic software or electronic discovery application. Last 10 authors data can be viewed and scrubbed using applications from Pinpoint Labs (Pinpoint MetaViewer, MetaDiscover). There are a couple other applications, however, the applications from Pinpoint Labs can access and scrub the data without altering the file system timestamps and is significantly quicker than other applications reviewed.
Article Source: http://www.marketingarticlebank.com
Pinpoint Metaviewer and MetaDiscover are available from Pinpoint Labs websiteMetadata Tools – Last 10 Authors
Don’t reprint this article. Instead, reprint a free unique content version of this same article.