Ask the Guru #1


I have a .doc file created with MS Office (not sure which version).  The original system is no longer available.  This file has changes (using the track changes feature) embedded in it.  The nature of the case is to determine the actual date when the data was originally entered.  I am able to see the changes that have been entered.

My question is: Can I determine the dates/times for which each change was made.


Speaketh the Guru:

If track changes was enabled, you should see the date and time of each change when the document is viewed. These timestamps are displayed by default in programs like Microsoft Word. Naturally, you would not see if any changes were made before track changes was turned on.

The .DOC file format is extremely complex. Details about the format are now public, but require a lot of effort to understand. To my knowledge the best .DOC parsers on the market, other than Office products, are the free and open source competitors to the Office suite. There are no forensics tools geared to parsing such documents that I am aware of, precisely because of their complexity. This is not to say that a parser could not be built, you would just have to weigh the value of what the document contains (or could prove/disprove) against the time and expense of building it.

Have a question for the Guru? Ask it now.