Which computer created a file?


Jan 22, 2008
12
0
#1
Hello, I'm completely ignorant of computer forensics and I was wondering if someone might be able to help answer some questions that I have.

Someone I know had a situation at their business. A Word Doc was found on one of the employee's computers. The computers are all connected to a LAN and of course a server. They are trying to figure out who put the Word Doc on this employee's computer.

Is there a way to figure out which computer created the Word Doc, and also who (which other user) put the file on that computer?

Thanks for any help you can provide.
 

2ndlook

New Member
Jan 19, 2008
39
0
#2
if you right click on the file, and hit properties, on the summary tab word will put the author of the file there... granted the author has to tell word on start up who they are, but it is usually pulled from the user logged on.

You can check the security tab as well, maybe the owner will be there, or it will mention a specific user -
and if logging is turned on high enough, you can check to see who was on or accessed the computer remotely during the time the file was created.

Of course this is simple stuff, there are more technical ways, and even ways for someone to pretend they are someone else creating the file..
 

JoshJ

New Member
Jan 17, 2008
33
0
#7
I would have to agree with DoDForensics... also if you just used google you should be able to find the answer since the topic has been in the news a number of times.
 
Sep 2, 2004
70
6
#9
bluepixel2213 said:
Someone I know had a situation at their business. A Word Doc was found on one of the employee's computers. The computers are all connected to a LAN and of course a server. They are trying to figure out who put the Word Doc on this employee's computer.

Is there a way to figure out which computer created the Word Doc, and also who (which other user) put the file on that computer?
First off, computers don't create documents...users do.

To see on which computer the document had been created, open the Word document in a hex editor and look for "PID_GUID". This is followed by a globally unique identifier that, depending upon the version of Word used, may contain the MAC address of the system on which the file was created.

Checking the user properties (as already mentioned) is a good way to see who the creator of the original file was...so, if the document was not created from scratch and was instead originally created on another system, then the user information will be for the original file.

Another way to locate the "culprit" in this case is to parse the contents of the NTUSER.DAT files for each user on each computer. While this sounds like a lot of work, it really isn't...b/c you're only looking for a couple of pieces of information. Specifically, you're interested in the MRU keys for the version of Word being used, as well as perhaps the RecentDocs keys.

Hope this helps...

H
 
Sep 2, 2004
70
6
#10
DoDForensics said:
You can always tell when school gets back into session!
How's that? Because someone asks a question and no one can answer it? ;-)
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu