AntiOnline Spotlight: Microsoft Metadata Forensics

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

AntiOnline: Maximum Security for a Connected World

Imagine that your staff sends a client a Word document outlining a proposal that's been edited and massaged to perfection. So compelling is your message and professional the presentation that your every instinct tells you that you've hit the bulls eye.

Instead, your client calls asking that you make some concessions and knock a sizable chunk off your price, suspiciously close to the bare minimum your team was considering charging for the job.

They know something.

Indeed, but they didn't have to snoop on your employees or mount a daring late night break-in. No, your workers simply e-mailed them all they wanted to know.

Microsoft Word has a handy feature that allows you to view revisions to a document so that you can chart its evolution. If you fail to strip the doc of the metadata that chronicles these changes, others can see the different forms this document took before it worked its way through your office.

From that they can "see" the author fix embarrassing mistakes, modify pricing info and hastily delete the expletives brought on by a bit of writer's block and an empty coffee pot.

Apart from this, metadata can also reveal who had a hand in the document's creation and where it's been.

Before you volunteer more information than you want your customers, friends, bosses and competition to know, be sure to read this week's spotlight thread.

Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.

Microsoft Metadata Forensics

Soda_Popinsky provides this brief but telling tutorial on how metadata can betray what you put in the final version of your docs. Complete with downloadable examples!

What this tutorial will do is show you one way to extract information that may prove useful to an investigation. What makes this tutorial cool is that I'll be using docs from a government about WMDs in Iraq that was released to the public. Reporters used the metadata to see who had access to this file, and who edited it, and someone got it trouble because of it. Let's get started...
A little sleuthing can turn up some juicy tidbits...
Open .doc with non-rich text editor
Clean up text
Find interesting info
Clean up more
Organize and investigate

So what do we have? Here are the file paths:

cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysave
cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysave
cic22J C:\DOCUME~1\phamill\LOCALS~1\Temp\AutoRecoverysave
JPratt C:\TEMP\Iraq-security.doc
JPratt A:\Iraq-security.doc
ablackshaw C:\ABlackshaw\Iraq-security.doc
ablackshaw C:\ABlackshaw\A;Iraq-security.doc
ablackshaw A:\Iraq-security.doc
MKhan C:\TEMP\Iraq-security.doc
MKhan C:\WINNT\Profiles\mkhan\Desktop\Iraq.doc

What we have are a bunch of usernames, and paths. These paths represent where the users saved this document. So what does this mean?

All these names took part in making this file. You can even see that ablackshaw transferred the file on a floppy disk, and MKahn uses WINNT. Turns out these people are:
Paul Hamill - Foreign Office official
John Pratt - Downing Street official
Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
Murtaza Khan - Junior press officer for the Prime Minister

ric-o tells us a debacle like this can be avoided if you download a little utility from Microsoft.
If you didn't see this, Microsoft released a metadata-cleaning tool, although it only works for Office 2003, which many people haven't upgraded to yet.
Need to download that handy metadata-stripping utility? Visit this week's thread for the link and access to the tutorial files so that you too can play British investigative reporter for a day.

Submit a Comment

Loading Comments...