Microsoft Office Compound Document Internals (Part 2 - Directory Entries)

Building on my previous post about the Compound Document file format, in this post we will discuss the Compound Document Directory Entry structures. Directory Entries are structures that store information about a stream or storage within a Compound Document file. Similar to directory entries in the FAT filesystem, Compound Document Directory Entries contain information such as timestamps, stream / storage names, and starting sector information. In order to recover the contents of a stream or storage, an examiner must first locate the Directory Entry for that particular stream or storage. In this post we will discuss how to locate Directory Entries, how to analyze their structure and content, and data that could be potentially useful to the forensic examiner.

Microsoft Office Compound Document Internals (Part 1 - Document Header)

Recently I was working on a case where we had a large collection of MS Office documents for review. There were literally thousands of them, and we had to make sense of what documents belonged to what user, and make some sort of picture about who wrote what documents, when they wrote them, and who had viewed or edited them. It occurred to me that the information that I was looking for was contained within the Office documents themselves - in the metadata structures. You see, Microsoft Office keeps track of several bits of metadata within its documents - things such as the usernames of the document author and last editor, dates and times the document was created, last saved, and last printed, as well as a bunch of other potentially useful information. This post describes my efforts to do bulk extraction of this metadata from my massive collection of documents and present that metadata in a way that was useful.

Analyzing Linux Memory Dumps with Volatility

In my previous post, I described how to collect a memory dump from a Linux system. In this post, I will describe how to use the Volatility framework to analyze that memory dump. To do so requires that we first create a profile for the system from which the memory dump was taken.

Linux Memory Forensics

Today I am taking a look at two of the more popular tools for performing memory acquisition from Linux systems. A quick search lands us at ForensicWiki which lists five tools for performing memory dumps on Linux systems. Two of the more useful freeware tools are fmem and LiME. This post details my experience using both tools.