DOCUMENT

ANALYSIS
INTRODUCTION TO
DOCUMENT ANALYSIS
 Definition: Document analysis refers to
the forensic examination of digital files
to uncover crucial information such as
file origin, authenticity, and
modifications.
 Importance in Forensics:In digital
investigations, documents can provide
evidence of fraud, insider threats,
intellectual property theft, etc.
 It involves recovering, verifying, and
analyzing the content and properties of
files.
COMMON TYPES OF DOCUMENTS
IN INVESTIGATIONS:
 Text
 documents (Word, PDF, etc.)
 Spreadsheets (Excel)
 Presentation files (PowerPoint)
 Emails (analyzed in detail in Chapter 10)
FILE IDENTIFICATION
 What is File Identification?The process of determining
the type and structure of a file based on its extension,
format, and contents.
 A misidentified file could be malicious or intentionally
disguised to evade detection.
 File Signatures and Extensions:Each file has a
signature (often found in the first few bytes of data) that
identifies its format.
 Extensions like .docx, .pdf, and .xlsx are visual cues, but
they can be altered to mislead.
 Tools can be used to analyze the true format, bypassing
falsified extensions
 File Headers:These are critical as they
provide technical details about the file
format. For example, a PDF file will have
%PDF in the header.
 A mismatch between file header and
extension raises red flags in forensic
investigations.
UNDERSTANDING METADATA
 Definition of Metadata: Metadata is "data about
data," providing critical information about the
document's history, usage, and attributes.
 Types of Metadata:
 Substantive Metadata: Information regarding
formatting, fonts, and layout. This type of metadata
is useful in intellectual property cases.
 Embedded Metadata: Information that applications
store, such as edit history, author, and time stamps.
 Custom Metadata: User-defined fields such as
‘Author,’ ‘Last Modified By,’ ‘Document Title,’ etc.
 Uses of Metadata in Forensics:Establish
ownership and authorship of a document.
 Trace document revisions, which is crucial in
fraud cases or contract disputes.
 Prove chain of custody by demonstrating how
and when a file was accessed, modified, or
transferred.
 Example:A Word document’s metadata might
reveal that it was last edited by a different
person than claimed or that it was created
much earlier than alleged.
METADATA ANALYSIS
TOOLS
 Microsoft Office Suite Example:In Microsoft Word,

you can view metadata by right-clicking on the file,

selecting Properties, and navigating to the Details

tab.

 Microsoft Word retains extensive metadata including

authorship, edit history, and revision times.

 Third-Party Tools:DocScrubber: Specialized

software used to analyze metadata, remove hidden

data, and sanitize files before sharing.

 ExifTool: A powerful open-source tool
for reading, writing, and editing
metadata in a wide variety of files,
especially images and documents.
 Importance of Metadata Tools in
Forensics:
 These tools extract metadata that is not
visible in the file itself but may contain
crucial information, such as file origins,
version control, or tampering.
MAC DATA
 Definition of MAC Data:Modified, Accessed,
and Created data are timestamps associated
with files that record their interaction history.
 Modified: Indicates when a file was last
changed.
 Accessed: Logs when a file was last opened.
 Created: Indicates the date and time the file
was first generated on the system.
 Importance in Investigations:MAC data helps
establish a timeline of document interactions,
crucial in both criminal and civil cases.
 For example, if a fraudster claims a document was
created on a specific date, MAC timestamps can
validate or contradict that claim.
 Tools for Extracting MAC Data:The Sleuth Kit
(TSK): This suite of forensic tools includes utilities
like fls and mactime for extracting file
timestamps from file systems like NTFS, FAT, etc.
 X-Ways Forensics: A powerful forensic
tool that helps investigate MAC data and
other file system attributes.

 MAC Spoofing:Criminals may use tools

to alter MAC data, a process known as
MAC spoofing. Investigators must be
aware of such tampering.
MINING TEMPORARY
FILES
 Definition of Temporary Files:Temporary files, often
stored in hidden directories, are created by software during
routine operations (e.g., autosaves, caches, application
data).
 These files often contain information that was deleted from
the main file but remains recoverable.
 Examples of Temporary Files:Web browser caches
store browsing history.
 Autosave files in applications like Microsoft Word or Excel
preserve document states.
 Swap files and hibernation files can store fragments of
open documents.
 Importance in Investigations:Temporary
files often contain information that was
“deleted” or not saved in the final version of
the document.
 These files can reveal draft versions, partial
content, or user activity during a certain time
period.
 Tools for Recovering Temporary Files:FTK
Imager: Useful for analyzing temporary files
and other transient system files.
 Data carving tools such as Scalpel can
recover these hidden pieces of evidence.
IDENTIFYING HIDDEN DATA

 Definition:Data can be hidden within files or in the unused

areas of storage media (e.g., slack space, file system metadata,

bad clusters).

 Steganography can embed files or information inside images

or other file formats.

 Techniques for Hiding Data:Slack space: The unused

portion of disk space in a file cluster that may store hidden data.

 Bad sectors: Areas on a disk marked as damaged can

sometimes be manipulated to store hidden data.

 Alternate Data Streams (ADS): A feature of NTFS that allows

hidden metadata or extra files to be stored alongside visible

files.
 How to Identify Hidden Data:
 Hex editors and forensic tools like X-Ways
Forensics can be used to examine file headers,
search slack space, and find hidden information.
 Data carving tools retrieve hidden fragments of
data by scanning storage media for specific file
signatures.

 Example:
 A forensic investigator may discover secret
messages hidden in an image file through
steganalysis.
DOCUMENT MANAGEMENT
SYSTEMS (DMS)
 Definition:Document Management Systems are
platforms that store, manage, and track digital
documents, often used by businesses and
organizations.
 Role in Forensic Investigations:DMS logs track
user access, modifications, and document history.
 These logs can provide critical audit trails,
especially in cases involving intellectual property
disputes or insider threats.
 Features for Forensic Investigations:
 Version control: Helps in identifying when
documents were modified and by whom.
 Audit trails: Show every interaction with a
document, including access, edits, and deletions.
 Backup logs: Useful for recovering lost or
deleted files.
 Forensic Tools for DMS:AccessData FTK:
Integrates DMS audit trails into investigations by
indexing and searching through large document
repositories.
CHALLENGES AND RISKS
 Antiforensic Techniques:Criminals may employ
antiforensic techniques to destroy or alter metadata
or hide documents, such as using tools to wipe
metadata or scramble MAC timestamps.
 Example: CCleaner is a common tool used to clean
up metadata and temporary files to cover tracks.
 Risks of Relying on Metadata:Metadata can be
easily altered or deleted by experienced users.
 Investigators should be cautious when drawing
conclusions based solely on metadata, as it can be
manipulated.
 Best Practices to Overcome These
Challenges:Combine metadata
analysis with other forensic techniques
such as file hashing, network logs, and
file system analysis to build a stronger
case.
 Case Study Overview:Example of a digital
forensics case where document analysis was
critical (e.g., an intellectual property dispute or a
fraud case).
 Details of the Investigation:Forensic
techniques used to identify altered documents.
 Use of metadata to establish timelines and
authorship.
 Outcome: How document analysis led to a legal
resolution.
 Key Lessons:The importance of accurate data
handling.
 How metadata, temporary files, and hidden data
can provide critical evidence.