Skip to Main Content
Electronic documents made by some application (e.g. Microsoft PowerPoint application) have traces of work like editing, and these traces exist in the format of electronic documents. In digital forensic investigation, examiners have failed to notice traces of past work. It is because of that the traces of the past work cannot be identified by its application easily. However, identifying traces of the past work is important for digital forensic investigation because this data can be essential information which is created by culprit's intention not appeared in electronic document. This paper focuses on analyzing the Microsoft PowerPoint application (version 97 ~ 2003) which has the feature that it has traces of past work. In case of Microsoft PowerPoint file, it is possible to identify traces of past work by analyzing saving algorithm of application. To detect the traces automatically, PRIX (PPT residual information extractor) tool is developed.