Active Directory Time Sync Breakdown

A Tale of Woe and PDF Creators (or Dig Up Abbott, Dig Up).

I’ve been working in public sector IT for the better part of 7 years now, starting off as a lowly help desk operator and working my way up through the ranks to the senior technical consultant position I find myself in today. I’m not telling you this to brag (indeed I don’t believe I’m completely unique in this regard) rather I want to impress upon you the level of familiarity I have when it comes to government IT systems. I’ve worked in departments ranging from mere hundreds of employees to the biggest public service organisation that exists within Australia. So when I say Tony Abbott’s office isn’t giving us the full story on this whole Peter Slipper incident and the subsequent time zone argument they used to defend their position you’ll know that I’m not just making stuff up.

Active Directory Time Sync Breakdown

For reference his whole argument has been thoroughly debunked by Sortius in his brilliant 10 hours of bullshit where he shows that the document has had its date modified to show a 10 hour discrepancy. Back when it was first published he was just going off public information but recent updates to the post have seen him get his hands on the original press release with an unmodified date on them, showing that the press release was indeed drafted the night before. You’d think that’d be the last of it (and indeed if it was I would’ve simply tweeted it again) however the Department of Parliamentary Services (DPS) has gone on record saying that they have identified a problem with the time stamps on the files in question and have backed up Abbott’s side of the story.

Reporters have since been granted access to the PC and shown similar files which seem to suffer the same Zulu time zone problem that apparently plagues the press release in question. What wasn’t investigated was whether or not files created in the way that Sortius has shown suffer from the same issue, I.E. is there an on-going technical issue with that particular computer or are those files the result of the same kind of tampering that the press release appears to have undergone. That would go some way to explaining what’s going on here but it doesn’t explain why the time stamp shows a Zulu time zone which Microsoft word isn’t capable of producing.

Indeed doing a little research for myself shows that PDFs created from Microsoft Word’s PDF creator plugin will always show created/modified dates that are more or less identical and reflect the current time it was created (not the time when the original word document was created). If we’re to believe that there was some problem with the PC that caused the Z to appear it follows that it should have been the same for both the created date and the modified date. The fact that there’s a discrepancy gives credence to the idea that the PDF was first created using the Word PDF exporter and then modified afterwards using another program. The original document, the one shown in the final update from Sortius, shows some differences in created/modified times however it appears that was created using the PDFMaker Plugin for Word and then later modified in Adobe Distiller (not the same way as the metadata in the modified press release indicates).

Now this doesn’t necessarily mean that Abbott was aware of this information but it does implicate that someone working for him did. In attempting to track down just who it was who created the PDF I came across 2 probable people (one person who I think works at DPS and a Brisbane based ghost writer) but I wasn’t able to verify it was actually one or the other. Whoever did write it would be able to provide some insights into this whole thing but it’s unlikely that they’ll ever come forward, especially considering the fact that they would’ve been working for Abbott at the time (and may still be).

All of this points in the direction that something is going on over there and that further investigation is definitely warranted. I know there’s several other things I could do to either verify or debunk this theory completely should I have more open access to said system but I doubt we’ll get anything more than the guided tour that was given to the ABC journalists already. If I still had people I knew working at DPS you can be assured that I’d get the full story from them but alas, I came up dry on this one. Sortius is still on the case though and I’m very interested to see what DPS has to say about the current discrepancies and will keep you posted on the progress.

 

10 Comments

Leave a Comment
  1. There is so many ways to turn a Word document into a PDF that unless you know exactly tool is being used it is pure speculation.

    I think the timezone issue (whatever the source) is a credible explanation for the 10 hour discrepancy.

    This all blew up because Abbott made a mess of the explanation (talking about clocks being wrong).

    When you run a delta over the metadata between the two versions of 12-04-21-Statement-on-Peter-Slipper-MP.pdf provided by Sortius, the thing that jumps out is how much metadata is missing from the first PDF. From that I’m guessing they used a some sort of manual process as show here:

    http://legalloudspeaker.com/2011/10/07/mind-over-metadata-tips-for-removing-hidden-data-from-your-legal-documents/

  2. Indeed there are however if you look at the PDF’s on Sortius’ web site you can see exactly which programs were used and I reference them in the post above.

    It’s a possible explanation but one that’s got an increasing number of holes in it. There needs to be more investigation into this and no, DPS’ word that everything is OK isn’t enough in this regard. It blew up because there’s discrepancies in here that don’t match the story that’s being reported on not just because Abbott flubbed the technical details.

    Wait, on the one hand you’re saying the time zone is a credible explanation but you’re linking me to methods that detail how to remove metadata from documents? What are you suggesting exactly?

  3. If the original PDF was created via a different method (i.e. Print to PDF) then the resulting metadata should be much less. It might be (and I can’t test this because I’m not on Windows) that the timestamp comes across stripped of TZ.

    The reasons for doing this might be nefariousness, or just part of loosely followed Office InfoSec Policy or just different workers having a different work-flow.

    This is the metadata missing from the first PDF:
    XMP Toolkit : Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39
    Format : application/pdf
    Creator Tool : Microsoft® Office Word 2007
    Metadata Date : 2012:04:23 10:04:23+10:00
    Document ID : uuid:296b3686-3a6b-44af-b2cc-b94b07c76574
    Instance ID : uuid:7530710a-61fc-456b-b18d-38344214330b

    This is the metadata changed:
    Linearized : No
    Create Date : 2012:04:20 23:08:32
    Modify Date : 2012:04:20 23:08:32
    Becomes:
    Linearized : Yes
    Create Date : 2012:04:20 23:08:32Z
    Modify Date : 2012:04:23 10:04:23+10:00

    If you accept that the create date is correct (no silly buggers) in the second version, then it becomes obvious (although not yet tested) that an alternate method of producing the PDF (such as Print to PDF) that strips out metadata, might also take out the TZ information.

  4. > In attempting to track down just who it was who created the PDF I came across 2 probable people (one person who I think works at DPS and a Brisbane based ghost writer) but I wasn’t able to verify it was actually one or the other.

    If you check one of your candidates again, you will find she has just put her twitter feed into protected mode.

  5. Indeed which is why I think more investigation is warranted rather than just taking DPS’s word at face value. We definitely know that the original (the one obtained by Sortius from a source in the press) was created via the PDFMaker plugin and later edited in Distiller and the suspicious ones were created in Word through its built in PDF functionality. That’s enough for me to want a bit more details on how this whole thing is created.

    Appears I might’ve been on the right track then although I didn’t want to say anything because I know how ruthless keyboard warriors can be with things like this. Hopefully she’s not getting harassed about this but it would be nice to see if she could shed any light on this subject.

  6. So the Brisbane based ghost writers name was an unfortunate coincidence? Oh dear, I think I sent him a nasty tweet. I had better go apologise.

  7. I commend you on your work but it only really states what most know about Tony Abbott. Look up how Tony nearly stole the last election on a lie at you tube search “Video Tony Abbott didnt want the public to see” http://www.youtube.com/watch?v=WgjGWYZSVUA what brought it all undone was that no-one won the election liberal nor labour so the the Independents asked that the Liberal costings be put into treasury as they refused pre election stating they had one of the top five accountancy companies to do their costings and certified “in law that our numbers are accurate” Read more: http://www.theage.com.au/national/lib-policy-costings-exposed-by-ruling-20111130-1o773.html#ixzz2FOtSuxuL!! hence the $11bil black hole confirmed by the fact the company where nearly de-registered and the two accountants that did the deed were fined $5000 each!! http://www.theage.com.au/national/lib-policy-costings-exposed-by-ruling-20111130-1o773.html yes most already know Tony will do anything to get the job as it were!!

  8. Good to see a better explanation from DPS, something which I was asking for all along. Whilst it didn’t line up with what we were thinking was happening we wouldn’t have received a better explanation had this issue not been brought up and pressure applied to DPS to clarify their answer.

    Hopefully they’ll continue to be this open in the future.

Leave a Reply