Computer forensics question - Microsoft Word - School Threat

A place to discuss the science of computers and programs, from algorithms to computability.

Formal proofs preferred.

Moderators: phlip, Prelates, Moderators General

Computer forensics question - Microsoft Word - School Threat

Postby Tomato92 » Wed Mar 28, 2012 4:38 pm UTC

Hello from Finland,

so our school received a threat recently. This threat was published on an intranet available to every computer in our school; the file was an MS Word file titled "VAROITUS.docx" = "warning". The metadata available on the file (properties) tells me when it was created, but not the computer. It also tells me how long it was worked on, only five minutes. So is there any additional metadata or anything that could reveal which computer it came from? Our computers wipe themselves of any changes after shut down, so the Y: intranet is used to save files. With good luck on our side and the origin known, the security cameras might reveal the perpetrator.

Our school is just north of Jokela, where there was a school shooting in 2007, we have plenty of students from there. Every class I heard of was deserted, with only one student in each. I strongly feel it was a sick "joke", so I want justice. The police is investigating it as an illegal threat, but all help was welcomed.

Threat message, de-capslocked and translated:
Warning!!! This is a warning of a future threat to this school! On Tuesday 27th of March there will happen an act, which will shock everyone at school that day! I apologize in advance for my actions, but I see no other options. I will do it at some point during the day, I won't specify further. Again, I'm sorry, but the world has been cruel to me. I will take it out on you. Burn in hell, all of you...
Tomato92
 
Posts: 3
Joined: Tue Mar 27, 2012 7:02 am UTC

Re: Computer forensics question - Microsoft Word - School Th

Postby MHD » Thu Mar 29, 2012 7:17 pm UTC

Investigate how the server logs access and file writes? I am somewhat certain any server with a bit of self respect logs FTP activity. Then investigate what IP submask wrote it or somesuch. I am no expert but that is where I would look.
EvanED wrote:be aware that when most people say "regular expression" they really mean "something that is almost, but not quite, entirely unlike a regular expression"
User avatar
MHD
 
Posts: 631
Joined: Fri Mar 20, 2009 8:21 pm UTC
Location: Denmark

Re: Computer forensics question - Microsoft Word - School Th

Postby freakish777 » Thu Mar 29, 2012 8:32 pm UTC

If you're talking about a shared drive when you say Y:

Then you can right click files and go to Properties. On the Details pain you can view Document Owner to correspond to an Active Directory account. If you don't have Active Directory set up properly and students logging into AD accounts to access your intranet... well, good luck figuring out who did it then, because it's going to be far more complicated than it has to be.
User avatar
freakish777
 
Posts: 350
Joined: Wed Jul 13, 2011 2:14 pm UTC

Re: Computer forensics question - Microsoft Word - School Th

Postby Tomato92 » Thu Mar 29, 2012 10:43 pm UTC

Thank you for your responses.

MHD, that's certainly a good suggestion. I'll talk with our principal asap. about requesting maintenance to access that if possible.

Freakish777, unfortunately the properties didn't reveal the computer the message originated from. I checked it first, of course. There were only two items in the properties that could've identified it, but, unfortunately, as I made a few test files on the drive these variables were the same no matter where I saved it. Yes, it's a big screw-up on the host's part. I always thought it would be an open and shut case if something like this happened. To the best of my knowledge it requires little effort to set it up that way.
Tomato92
 
Posts: 3
Joined: Tue Mar 27, 2012 7:02 am UTC

Re: Computer forensics question - Microsoft Word - School Th

Postby OmenPigeon » Fri Mar 30, 2012 2:39 am UTC

.docx files are basically zip files with xml files inside. If you rename the document to varoitus.zip you'll be able to open it and read the data directly. One of the top level folders should be named, if memory serves, "docProps", or if not that then something similar. There should be two files in there, core.xml and app.xml. (There might also be a custom.xml, but it's rare.) If you pull those out of the archive and reformat them (Word doesn't put newlines in when it saves), you can read all the metadata out of those. Theoretically you should be able to read all these properties from inside Word too, but the document property menus are particularly awkwardly designed. There isn't a whole lot in those files that's personally identifying, and just about all the properties are optional, so don't get your hopes up too far. But if there is any metadata in the file, that's where it'll be.
As long as I am alive and well I will continue to feel strongly about prose style, to love the surface of the earth, and to take pleasure in scraps of useless information.
~ George Orwell
User avatar
OmenPigeon
Peddler of Gossamer Lies
 
Posts: 673
Joined: Mon Sep 25, 2006 6:08 am UTC

Re: Computer forensics question - Microsoft Word - School Th

Postby freakish777 » Fri Mar 30, 2012 6:06 pm UTC

Tomato92 wrote:Freakish777, unfortunately the properties didn't reveal the computer the message originated from.



My point was that you shouldn't be trying to figure out which computer it came from, but rather which user account. If you're the IT person for your school's computer network, and you don't require people to log in to personalized accounts, you need to rethink how you're doing things.

Something that would help is what version of Windows we're talking about. At the network level, at the computer level, and at the level that the shared drive resides.
User avatar
freakish777
 
Posts: 350
Joined: Wed Jul 13, 2011 2:14 pm UTC

Re: Computer forensics question - Microsoft Word - School Th

Postby Tomato92 » Fri Mar 30, 2012 9:22 pm UTC

Maybe I wasn't clear, there are no user accounts. Everyone logs on with the same account and password for each computer. Yes I officially hate our IT guys, but on the other hand it would be unreliable and inconvenient to use user accounts. Hopefully the FTP has been or can be used to identify the computer.

I turned the file in to source using some online how-to thing, nothing revealed anything more than the properties already told me.

I'll contact police tomorrow, see if they know which computer it originated from. I lost track of what I was supposed to ask them, this morning, what with that other shooting incident up north. Thankfully no one as hurt this time. Thank you all, again.
Tomato92
 
Posts: 3
Joined: Tue Mar 27, 2012 7:02 am UTC

Re: Computer forensics question - Microsoft Word - School Th

Postby Sagekilla » Sun Apr 01, 2012 10:27 pm UTC

Tomato92 wrote:Maybe I wasn't clear, there are no user accounts. Everyone logs on with the same account and password for each computer. Yes I officially hate our IT guys, but on the other hand it would be unreliable and inconvenient to use user accounts. Hopefully the FTP has been or can be used to identify the computer.

I turned the file in to source using some online how-to thing, nothing revealed anything more than the properties already told me.

I'll contact police tomorrow, see if they know which computer it originated from. I lost track of what I was supposed to ask them, this morning, what with that other shooting incident up north. Thankfully no one as hurt this time. Thank you all, again.


Unreliable for who? And inconvenient for who? How is "having many user accounts" any more unreliable
than having a *single* user account? If anything, having ONE user account is unreliable because of the
incident that just happened.

And inconvenient? Seriously? People use user accounts all the time. I'd seriously doubt that any
student at your school has had no exposure to user accounts. The only "inconvenience" would be having
some sort of password retrieval or reset system, which you should be doing in the first place.

I'm sorry, but thinking that having one user account is "reliable" and "convenient" is an incredibly
irresponsible way to think of how to handle your computer systems. God forbid the kid actually followed
up on the threat and he managed to kill someone. If that actually happened you'd be royally screwed right
now compared to what would have been possible if you practiced proper user account management.

The sheer fact that this incident occurred should give you all the more reason to pressure your IT department
into changing the system. If not you, then get every other faculty member involved and have them collectively
pressure your IT guys.
http://en.wikipedia.org/wiki/DSV_Alvin#Sinking wrote:Researchers found a cheese sandwich which exhibited no visible signs of decomposition, and was in fact eaten.
Sagekilla
 
Posts: 385
Joined: Fri Aug 21, 2009 1:02 am UTC
Location: Long Island, NY

Re: Computer forensics question - Microsoft Word - School Th

Postby WarDaft » Mon Apr 02, 2012 8:28 am UTC

If you have the kind of IT people who actually think its a good idea for everyone to share one user account, it might just actually be more reliable. That is, people might generally be able to use it, rather than it being in a permanent state of "my account isn't working!"

Note that this is not an excuse, merely an observation. Another observation is that the school needs better IT people.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.
User avatar
WarDaft
 
Posts: 1574
Joined: Thu Jul 30, 2009 3:16 pm UTC


Return to Computer Science

Who is online

Users browsing this forum: No registered users and 3 guests