← All cases
AF-012 · Temporal
Office Metadata Timestamp Contradiction
✓ Validated timestamp-manipulation Windows 10
Contributed by @ioi-framework · 2025-01-01 · View IoI rule →
Dependent artifacts Office core.xml $MFT
Sample JSON-LD Office evaluated graph Office XML snippet
Reproducibility bundle Zenodo DOI ↗

Summary

This case demonstrates timestomping detection using Office XML metadata. Office documents (.docx, .xlsx, .pptx) are ZIP archives containing internal XML metadata in docProps/core.xml. When MFT timestamps are forged with timestomper.exe, the embedded Office metadata remains unchanged, creating a contradiction that can be detected by joining the Office graph with the MFT graph on normalized filePath.

Scenario Steps

1. Set Up — Created password.docx on the Windows system and recorded the original document metadata and MFT timestamps.

2. Tampering — Used timestomper.exe to forge the document timestamps. The SetFileTime API modifies MFT $STANDARD_INFORMATION (0x10) timestamps, but the embedded Office XML metadata in docProps/core.xml remains intact.

3. Evidence Collection — Parsed $MFT with the MFT instantiator, extracted Office XML metadata with office_xml_instantiator.py, and loaded both outputs into separate named graphs. Detection compares Office XML ioi-ext:dctermsCreated against MFT ioi-ext:created0x10 for the same normalized file path.

Ground Truth Criteria

  • Office XML metadata (ioi-ext:dctermsCreated) preserves the original document creation time
  • MFT $STANDARD_INFORMATION (0x10) shows the forged creation timestamp
  • xmlCreated != mftSiCreated at minute precision for the same normalized filePath indicates timestomping

Inconsistency Summary

When timestomper.exe modifies password.docx, it changes the MFT filesystem timestamps but does not rewrite the Office metadata in docProps/core.xml. The Office graph therefore retains an ioi-ext:dctermsCreated value that disagrees with the MFT graph’s ioi-ext:created0x10 value for the same file path.

Detection Logic

-- Step 1: Get Office XML metadata
FIND office_entries
  RETURN filePath, dctermsCreated AS xmlCreated

-- Step 2: Get MFT timestamps for the same normalized path
FIND mft_entries WHERE mft_entries.filePath = office_entries.filePath
  RETURN created0x10 AS mftSiCreated, created0x30 AS mftFnCreated

-- Detection Rule
IF truncate_to_minutes(xmlCreated) != truncate_to_minutes(mftSiCreated)
THEN FLAG 'AF-012: Timestomping Detected via Office XML Metadata'