0

As part of auditing, I have to find whether an Excel file is modified by anyone after it was created in 2018 by the original user on a Windows 7 computer.

I had verified the creation, modified and accessed info available in file. All this info are of 2018 and believing these timestamps, I submitted a report that the file is original and not altered by anyone.

But some posts in security.stackexchange.com made me aware that the timestamps I mentioned above can be altered through PowerShell by changing the properties CreationTime, LastAccessTime and LastWriteTime.

If so, I cannot believe these timestamps to ensure the file is not altered. What if someone changed the file and then changed the timestamps back to the initial one?

If so, is there any way that I can find it out?

If not possible to see whether the file is modified, can we at least know whether the metadata of the file was changed?

Note: I have read the post Why is it impossible to verify whether a file has been modified since creation? and now I am under the impression that I cannot find out if the file is modified. But this is important for my organization and want to see if there is any way to do it.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Vrs
  • 1
  • 1
  • "this is important for my organization and want to see if there is any way to do it" - if this is **really** important, that means your organisation **must** have the ability to spend some money for investigation. If so, contact any decent vendor who provides digital forensics services. These guys will seize the HDD for some time, investigate all the possible data, including special file system registries, OS logs etc. etc. etc., and will provide a professional opinion whether there is any evidence the data has been tampered with. – Alex Oct 29 '21 at 11:16
  • Nobody will say with 100% confidence "the timestamp is legit", but if the tampering was performed not by IT professionals - these guys might be able to get some evidence of it, although tracking it back to 2018 will be really, really challenging, less reliable, and most probably quite costly. And if your organisation cannot afford these costs - well, that means this information is not actually that valuable. Take the system attributes for granted, not much else you can do here. – Alex Oct 29 '21 at 11:16

2 Answers2

2

Unless you have historical file contents + timestamp, signed by a trustworthy timestamping service, there's no way to know if the file was modified. Files - Excel spreadsheets included - are just data. You can modify them any way you want, at any time.

Even if Excel-the-program always put a log in the file indicating a version history, an attacker could just unpack the file in another tool and edit or revert the log. There's no way to build a key into Excel that it could use to sign the file (or its log) that an attacker couldn't find and use to re-sign the altered version (although external signing is possible, as implied above).

CBHacking
  • 42,359
  • 3
  • 76
  • 107
1

Unfortunately unlike Word, Excel does not have a "Revision Tracking" feature.

However, there is an option in the home panel's info section, where you can see "Version History". However, if the content in the document was copied and pasted into another document, then there would be no older version history to display. That is one way one can circumvent the "Version History" feature.

This is the reason why it is standard practice for security personal at the work place to set up a database or a method to store hashes of files that they want to have a form of certain authentication. Every time a known edit is saved a hash is saved in some manner (separate from where the document is saved), where an unknown edit would not change the hash of the previous version of the document.

Basically, if you have a hash for the document that was taken right after a known edit was saved, you could try comparing the current hash of the document with the known hash. If the hash values are the same, then the document was never touched. If it is not the same, then the document has been modified.

Amol Soneji
  • 346
  • 1
  • 5
  • 2
    Revision tracking doesn't prove a thing. It's all data (Zipped XML files, to be precise); you can unpack it and edit it and repack it to your heart's content. – CBHacking Oct 29 '21 at 05:16