Friday, January 31, 2014

Forensic Lunch 1/31/14





Thanks again to David Cowen and his team for the opportunity to present my work on the Compound Document File format. For those who were interested in the tools / scripts that were discussed on the show, here are some links:

Python scripts for parsing MS Compound Documents - I have not had a chance to download and test/evaluate these yet but I'm hoping I'll have some free time to do so soon.

Microsoft OffVis tool for parsing MS Compound Documents and detecting malware - direct download

Link to good article describing OffVis and what it does

MSDN documentation on the Microsoft Compound File Binary format

Wednesday, January 29, 2014

Microsoft Office Compound Document Internals (Part 4 - SummaryInformation)

In this segment of the series on Microsoft's Compound Document file format, I am going to discuss the extraction of information from the SummaryInformation data structure. You may have noticed the SummaryInformation references in the directory entries that we viewed in this previous post. The SummaryInformation structure is the internal data structure within Compound Document files that contains the metadata information - things such as the author's username, the username of the last person to have edited the document, date and time information for file creation, last save, and last print, and statistical information about the file. The SummaryInformation data structure is described here at MSDN. In this post, we will walk through our sample document and extract the document property metadata from the SummaryInformation structure.

Wednesday, January 8, 2014

Microsoft Office Compound Document Internals (Part 3 - FAT, DIFAT, and Mini FAT)

As I have mentioned in previous posts, the Microsoft Office Compound Document file uses an internal File Allocation Table (FAT) structure to keep track of allocated and unallocated sectors within the file. In addition to the FAT, there is also a Double Indirect File Allocation Table (DIFAT) which is used to keep track of file sectors used by the FAT. Additionally, the Compound Document file also uses a MiniFAT, which allocates storage in the Mini Stream, which will be the topic of another post. All of these structures are used to map the allocation status of each sector within the Compound Document file, and are used to recover sector chains - that is, sequences of sectors that contain the data for a particular stream and storage. In this post, we will discuss the FAT concept in general, and the implementation specifics of FAT within the Compound Document file.