Study on the tracking revision history of MS Word files for forensic investigation

Doowon Jeong, Sangjin Lee

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.

Original languageEnglish
JournalDigital Investigation
DOIs
Publication statusAccepted/In press - 2017 Jan 1

Fingerprint

Metadata
Thymidine Monophosphate
History
history
Research Personnel
PC
indication
assistance
Digital forensics

Keywords

  • Document forensic
  • Forensic investigation
  • Microsoft word file
  • Revision history
  • Temporary file

ASJC Scopus subject areas

  • Computer Science Applications
  • Medical Laboratory Technology
  • Law

Cite this

Study on the tracking revision history of MS Word files for forensic investigation. / Jeong, Doowon; Lee, Sangjin.

In: Digital Investigation, 01.01.2017.

Research output: Contribution to journalArticle

@article{f47604f2ebde49588df9f5f50ec16348,
title = "Study on the tracking revision history of MS Word files for forensic investigation",
abstract = "Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.",
keywords = "Document forensic, Forensic investigation, Microsoft word file, Revision history, Temporary file",
author = "Doowon Jeong and Sangjin Lee",
year = "2017",
month = "1",
day = "1",
doi = "10.1016/j.diin.2017.08.003",
language = "English",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Study on the tracking revision history of MS Word files for forensic investigation

AU - Jeong, Doowon

AU - Lee, Sangjin

PY - 2017/1/1

Y1 - 2017/1/1

N2 - Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.

AB - Document forensics remains an important field of digital forensics. To date, previously existing methods focused on the last saved version of the document file stored on the PC; however, the drawback of this approach is that this provides no indication as to how the contents have been modified. This paper provides a novel method for document forensics based on tracking the revision history of a Microsoft Word file. The proposed method concentrates on the TMP file created when the author saves the file and the ASD file created periodically by Microsoft Word during editing. A process whereby the revision history lists are generated based on metadata of the Word, TMP, and ASD files is presented. Furthermore, we describe a technique developed to link the revision history lists based on similarity. These outcomes can provide considerable assistance to a forensic investigator trying to establish the extent to which document file contents have been changed and when the file was created, modified, deleted, and copied.

KW - Document forensic

KW - Forensic investigation

KW - Microsoft word file

KW - Revision history

KW - Temporary file

UR - http://www.scopus.com/inward/record.url?scp=85029421285&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85029421285&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2017.08.003

DO - 10.1016/j.diin.2017.08.003

M3 - Article

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

ER -