Difference between pages "Word Document (DOCX)" and "Knoppix STD"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
DOCX is the file format for Microsoft Office 2007 and later.
+
{{Deprecated Software}}
  
DOCX should not be confused with [[DOC]], the format used by earlier versions of Microsoft Office.
+
{{Infobox_Software |
 +
  name = Knoppix STD |
 +
  maintainer = [[STD project]] |
 +
  os = [[Linux]] |
 +
  genre = {{Live CD}}, {{Incident Response}} |
 +
  license = {{GPL}} |
 +
  website = [http://s-t-d.org/ s-t-d.org/] |
 +
}}
  
= Container Format =
+
Knoppix STD is a [[computer forensics]] / [[Incident Response|incident response]] [[Live CD]] based on Knoppix.
  
DOCX is written in an XML format, which consists of a [[ZIP archive]] file containing [[XML]] and binaries. Content can be analysed without modification by unzipping the file (e.g. in WinZIP) and analysing the contents of the archive.
+
== Tools ==
  
The file _rels/.rels contains information about the structure of the document.  It contains paths to the metadata information as well as the main XML document that contains the content of the document itself.
+
=== Forensics ===
  
Metadata information are usually stored in the folder docProps. Two or more XML files are stored inside that folder, app.xml that stores metadata information extracted from the Word application itself and core.xml that stores metadata from the document itself, such as the author name, last time it was printed, etc.
+
* [[Sleuthkit]] 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
 +
* autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
 +
* biew : binary viewer
 +
* bsed : binary stream editor
 +
* consh : logged shell (from F.I.R.E.)
 +
* coreography : analyze core files
 +
* dcfldd : US DoD Computer Forensics Lab version of dd
 +
* fenris : code debugging, tracing, decompiling, reverse engineering tool
 +
* fatback : Undelete FAT files
 +
* foremost : recover specific file types from disk images (like all JPG files)
 +
* ftimes : system baseline tool (be proactive)
 +
* galleta : recover Internet Explorer cookies
 +
* hashdig : dig through hash databases
 +
* hdb : java decompiler
 +
* mac-robber : TCT's graverobber written in C
 +
* [[md5deep]] : run md5 against multiple files/directories
 +
* memfetch : force a memory dump
 +
* pasco : browse IE index.dat
 +
* photorec : grab files from digital cameras
 +
* readdbx : convert Outlook Express .dbx files to mbox format
 +
* readoe : convert entire Outlook Express .directory to mbox format
 +
* rifiuti : browse Windows Recycle Bin INFO2 files
 +
* secure_delete : securely delete files, swap, memory....
 +
* testdisk : test and recover lost partitions
 +
* wipe : wipe a partition securely. good for prep'ing a partition for dd
 +
* and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)
  
Another folder contains the actual content of the document, in a Word document, or an .docx document the folder's name is word.  A XML file called document.xml is the main document, containing most of the content of the document itself.
+
== External Links ==
  
= Relationship to OOXML =
+
* [http://s-t-d.org/ Official Site]
 
+
* [http://forum.s-t-d.org/ Support Forum]
Office Open XML is an open XML standard developed by Microsoft for word processing documents, spreadsheets, presentations and charts. The OOXML standard was submitted to the ISO for approval.  After initially being rejected over technical concerns, the ISO approved a modified version as ISO/IEC 29500:2008. Microsoft intended to use the OOXML standard for its Office suite. However, Office does not support the standard that the ISO approved, it only supports the standard that was originally rejected by the ISO[http://arstechnica.com/microsoft/news/2010/04/iso-ooxml-convener-microsofts-format-heading-for-failure.ars]. As of Office 2010, Microsoft has still not brought its software into compliance with the standard.
+
 
+
For most purposes OOXML may be considered a subset of DOCX (DOCX contains additional features, like OLE serialization).
+
 
+
Documentation on OOXML may provide a guide to analysing a DOCX file.
+
 
+
= Metadata =
+
 
+
== Core (Document) Properties ==
+
<pre>
+
docProps/core.xml
+
</pre>
+
 
+
<pre>
+
&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;
+
&lt;cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
+
    xmlns:dc="http://purl.org/dc/elements/1.1/"
+
    xmlns:dcterms="http://purl.org/dc/terms/"
+
    xmlns:dcmitype="http://purl.org/dc/dcmitype/"
+
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;
+
&lt;dc:creator&gt;User 1&lt;/dc:creator&gt;
+
&lt;cp:lastModifiedBy&gt;User 2&lt;/cp:lastModifiedBy&gt;
+
&lt;cp:revision&gt;3&lt;/cp:revision&gt;
+
&lt;dcterms:created xsi:type="dcterms:W3CDTF"&gt;2012-11-07T23:29:00Z&lt;/dcterms:created&gt;
+
&lt;dcterms:modified xsi:type="dcterms:W3CDTF"&gt;2013-08-25T22:18:00Z&lt;/dcterms:modified&gt;
+
&lt;/cp:coreProperties&gt;
+
</pre>
+
 
+
= External Links =
+
 
+
* [http://msdn.microsoft.com/en-us/library/aa338205.aspx Introducing the Office (2007) Open XML File Formats], by [[Microsoft]], May 2006
+
* [http://dublincore.org/documents/2012/06/14/dcmi-terms/?v=elements# DCMI Metadata Terms]
+
* [http://www.simson.net/clips/academic/2009.IEEE.DOCX.pdf The new XML Office Document Files: Implications For Forensics], [[Simson L. Garfinkel]] and James Migletz
+
* [http://blog.kiddaland.net/2009/06/office-2007-metadata/ Perl script that displays metadata information that is extracted from an OpenXML document], by [[Kristinn Gudjonsson]], June 2009
+
* [http://blog.kiddaland.net/2009/07/antiword-for-office-2007/ Perl script that displays the content of a Docx document, similar to Antiword], by [[Kristinn Gudjonsson]], July 2009
+
* [http://computer-forensics.sans.org/blog/2009/07/10/office-2007-metadata/ Office 2007 Metadata], by [[Kristinn Gudjonsson]], July 10, 2009
+
 
+
[[Category:File Formats]]
+

Revision as of 04:40, 18 January 2014

40px-Ambox warning pn.png

This tool is deprecated.
The tool that this page describes is deprecated and is no longer under active development.
Further information might be found on the discussion page.

Knoppix STD
Maintainer: STD project
OS: Linux
Genre: Live CD, Template:Incident Response
License: GPL
Website: s-t-d.org/

Knoppix STD is a computer forensics / incident response Live CD based on Knoppix.

Tools

Forensics

  • Sleuthkit 1.66 : extensions to The Coroner's Toolkit forensic toolbox.
  • autopsy 1.75 : Web front-end to TASK. Evidence Locker defaults to /mnt/evidence
  • biew : binary viewer
  • bsed : binary stream editor
  • consh : logged shell (from F.I.R.E.)
  • coreography : analyze core files
  • dcfldd : US DoD Computer Forensics Lab version of dd
  • fenris : code debugging, tracing, decompiling, reverse engineering tool
  • fatback : Undelete FAT files
  • foremost : recover specific file types from disk images (like all JPG files)
  • ftimes : system baseline tool (be proactive)
  • galleta : recover Internet Explorer cookies
  • hashdig : dig through hash databases
  • hdb : java decompiler
  • mac-robber : TCT's graverobber written in C
  • md5deep : run md5 against multiple files/directories
  • memfetch : force a memory dump
  • pasco : browse IE index.dat
  • photorec : grab files from digital cameras
  • readdbx : convert Outlook Express .dbx files to mbox format
  • readoe : convert entire Outlook Express .directory to mbox format
  • rifiuti : browse Windows Recycle Bin INFO2 files
  • secure_delete : securely delete files, swap, memory....
  • testdisk : test and recover lost partitions
  • wipe : wipe a partition securely. good for prep'ing a partition for dd
  • and other typical system tools used for forensics (dd, lsof, strings, grep, etc.)

External Links