How to Access Microsoft Word Last 10 Authors
by Jon Rowe..
Computer forensic examinations and litigation support projects often rely on Microsoft Office file metadata. Metadata is information stored in a file that identifies key attributes of the file and can assist a computer forensic examiner and lawyers by establishing key findings in a case. It can assist with the timeline of events for a suspect.
One of the most valuable areas of information is referred to as 'Last 10 Authors'. Last 10 Authors/Locations is an area of a Microsoft Word file that, as it states, stores the last 10 authors and locations for the file.
A common assumption amongst litigation support professionals and attorneys is that last 10 authors will be extracted during an electronic discovery process. In fact, last 10 authors isn't included in the OLE stream metadata and is not extracted by common electronic discovery products or vendors.
The reason this information isn't available during normal metadata extraction processes (OLE stream) is that last 10 authors isn't stored in the same location as the other OLE metadata. Additionally, the tools provided by Microsoft to extract metadata (which many software developers use) doesn't include last 10 authors.
Many scrubbing applications don't remove the data contained in the last 10 authors. Because this informaiton is not included in the standard metadata fields it is often forgotten and becomes available for others to view and possibly use to their advantage.
In a recent computer examination I was examining a USB drive which contained the current working files of the suspect. We were also provided access to a laptop which the suspect claimed was the only computer used in addition to the office computer.
We suspected that due to the age of the laptop and that there was very little information on the computer that the suspect provided us with a computer that had been retired and wasn't in use as stated.
We were able to confirm our suspicions on this case using the last 10 author data from several Microsoft Word files on the USB drive that the suspect used to store their working files. We were also able to identify two other computers that the suspect was using to create and edit files which were never examined or produced in the case.
It is important to also understand that the last 10 authors data is not only captured when a user clicks 'save' but Microsoft Word's autosave feature will intermintently save files and store the information in last 10 authors.
There are dozens of examples like this where last 10 authors 'metadata' can be used to help with a conviction or judgement. Informaiton can work for or against an individual and their legal representation. When it is determined that metadata is priveledge information or for any reason should be excluded, don't forget about last 10 authors.
Not all electronic discovery vendors or computer forensic exaimers include last 10 author data in their processes. Pinpoint Labs has software and services geared towards analyzing and scrubbing last 10 authors data.
In summary, last 10 authors is referred to as metadata, however, it isn't accessible through most computer forensic software or electronic discovery application. Last 10 authors data can be viewed and scrubbed using applications from Pinpoint Labs (Pinpoint MetaViewer, MetaDiscover). There are a couple other applications, however, the applications from Pinpoint Labs can access and scrub the data without altering the file system timestamps and is significantly quicker than other applications reviewed.
About the author: Jon Rowe is the President of Pinpoint Labs and a Certified Computer Examiner. To learn more about Pinpoint Labs click here
Pinpoint Labs Website - Computer Forensics Software and Services This and other
unique content 'Metadata tools' articles are available with free reprint rights.
