Compound Files vs. Windows File Attribs
Mandy Hernandez
I need to find a documet that is easy to read and explains the differences
between the Compund File's Summary Stream and the Windows attributes and or
how they relate.
I am working a forensic case and have found very strange date/time issues with
some Excel Spread sheets.
When I view the compund file information i have a 'created on date' of
01/01/04 however when I view it in the Windows properties, it gives me a
creation date of 03/05/04. This COULD happen if you created the file on one
computer and 3 months later you copied it to the drive in question, however
the 'Last Revised' date (Attribute in the Summary Stream) and the last
written attrib in Windows do not match. The 'Last Written' is 03/05/04
07:14:25AM but the 'Last Revised' says 03/05/04 9:25:21PM.
I am looking for a document that can shed some lite as to how the Compund
Info compares to the File level attributes.
BTW: We are looking at the files using EnCase 4.22 which keeps the
attributes of the original file. It is a forensic tools that is designed
with that purpose.
Thanks