AF-012 Reproducibility Dataset: Office Metadata Timestamp Contradiction

This dataset contains the primary forensic artifacts for AF-012, a reproducibility case for detecting timestamp contradictions between embedded Office XML metadata and NTFS metadata on Windows 10.

AF-012 models an anti-forensic scenario in which a document’s filesystem timestamp is forged while embedded Office metadata in docProps/core.xml provides an independent creation timestamp for comparison. The inconsistency is detected by correlating Office XML metadata extracted from an Office package with corresponding NTFS timestamps in MFT. The expected detection outcome is that AF-012 should fire when the embedded Office metadata creation time predates the MFT STANDARD_INFORMATION creation time for the same file.

Included files in this version are: af012_mft, the raw NTFS Master File Table artifact; af012_mft.csv, the parsed MFT export used to analyze filesystem timestamps and normalized file paths; and af012_password_docx_xml.rar, an archive of the extracted Office package directory containing docProps/core.xml and related Office XML components used for Office-side JSON-LD generation in the IoI framework.

The Office-side evidence was prepared as an extracted Office package directory so that office_xml_instantiator.py can generate the same JSON-LD structure from the unpacked folder as from the original .docx, while NTFS artifacts were extracted from the source image and parsed into CSV using MFTECmd-compatible forensic workflow for reproducible downstream mapping and validation in the IoI framework.

Scenario summary: platform Windows 10; artifact type Office XML metadata and NTFS metadata; manipulation filesystem timestamp forgery using timestomper.exe; expected inconsistency embedded Office XML metadata provides a creation timestamp that predates the MFT $STANDARD_INFORMATION creation time for the same file.

Related framework resources: framework repository https://github.com/ioi-framework/ioi-framework ; case materials https://github.com/ioi-framework/ioi-framework/tree/main/CASES/AF-012 ; website case page https://ioi-framework.github.io/cases/af-012/

This record is intended as a versioned reproducibility dataset for the AF-012 case and may be updated in future Zenodo versions as additional documentation, checksums, manifests, or companion derived files are added.