Many computer forensic examiners and attorneys are aware that metadata is valuable to many corporate cases. Metadata is the information stored within Microsoft Office and other files that can tell when files were created, edited, printed, stored and dozens of other facts.
One of the most valuable areas of information is referred to as ‘Last 10 Authors’. Last 10 Authors/Locations is an area of a Microsoft Word file that, as it states, stores the last 10 authors and locations for the file.
A common assumption amongst litigation support professionals and attorneys is that last 10 authors will be extracted during an electronic discovery process. In fact, last 10 authors isn’t included in the OLE stream metadata and is not extracted by common electronic discovery products or vendors.
OLE stream metadata is what is visibile and often extracted through computer forensics, electronic discovery and several free utilities. Microsoft provides a dll library to allow software developers to easily access dozens of metadata fields (i.e. Title, Author, Date Last Printed, Date Last Saved etc.), however, the dll and other metadata libraries (as well as scrubbing utilities) don’t provide access to the last 10 authors information.
Once an attorney realizes what information can be available from last 10 authors and locations they can be elated or very concerned depending on who they are representing. It is of additional concern when attorneys realized their scrubbing software or vendor didn’t remove this information.
In a recent computer examination I was examining a USB drive which contained the current working files of the suspect. We were also provided access to a laptop which the suspect claimed was the only computer used in addition to the office computer.
Because of the age of the laptop, size of the hard drive and user log files we doubted that the suspect had used the laptop for much of anything for awhile. Additionally, there were two older operating systems intalled which haven’t been used for many years.
It was the last 10 authors that allowed us to provde that not only had the laptop not been recently used to create, modify or save any work related files last 10 authors also allowed us to identify two other systems the individual had access to that were never produced for the case.
The last 10 authors provides not only the author but the location of the file. Additionally, the autosave feature in Word can cause the location of a file to be stored even if the user didn’t manually save their documents.
There are numerous examples of how the last 10 authors is used to win and defend cases. The savy attorneys and computer forensic examiners review this information when examinig their clients files or those produced by opposing counsel.
Not all electronic discovery vendors or computer forensic exaimers include last 10 author data in their processes. Pinpoint Labs has software and services geared towards analyzing and scrubbing last 10 authors data.
In summary, last 10 authors is referred to as metadata, however, it isn’t accessible through most computer forensic software or electronic discovery application. Last 10 authors data can be viewed and scrubbed using applications from Pinpoint Labs (Pinpoint MetaViewer, MetaDiscover). There are a couple other applications, however, the applications from Pinpoint Labs can access and scrub the data without altering the file system timestamps and is significantly quicker than other applications reviewed.