Study on the tracking revision history of MS Word files for forensic investigation |
| |
| Institution: | 1. Faculty of Industrial Engineering and Management, Technion, Haifa, Israel;2. Department of Industrial Engineering and Management, Ariel University, Ariel, Israel;1. Faculty of Education, Universidad de Leon, Campus de Vegazana s/n, 24071 Leon, Spain;2. Faculty of Systems and Telecommunications, Universidad Estatal Península de Santa Elena, Vía Principal La Libertad-Santa Elena, Santa Elena, Ecuador;3. Munich University of Applied Sciences, Department of General and Interdisciplinary Studies (FK13), Hochschule München, Dachauerstr. 100a, 80636 Munich, Germany;4. Department of Mechanical, Computing and Aerospace Engineering, Universidad de Leon, Campus de Vegazana s/n, 24071 Leon, Spain |
| |
| Abstract: | Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied. |
| |
| Keywords: | Document forensic Microsoft word file Temporary file Revision history Forensic investigation |
| 本文献已被 ScienceDirect 等数据库收录! |
|
