Difference between pages "Word Document (DOCX)" and "Windows 8"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
DOCX is the file format for Microsoft Office 2007 and later.  
+
Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.
  
DOCX should not be confused with [[DOC]], the format used by earlier versions of Microsoft Office.
+
== New Features ==
 +
The following new features were introduced in Windows 8:
 +
* [[Windows File History | File History]]
 +
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
  
= Container Format =
+
== File System ==
 +
The file system used by Windows 8 is primarily [[NTFS]].
  
DOCX is written in an XML format, which consists of a [[ZIP archive]] file containing [[XML]] and binaries. Content can be analysed without modification by unzipping the file (e.g. in WinZIP) and analysing the contents of the archive.
+
The [[Resilient File System (ReFS)]] was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.
  
The file _rels/.rels contains information about the structure of the document.  It contains paths to the metadata information as well as the main XML document that contains the content of the document itself.
+
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
  
Metadata information are usually stored in the folder docProps.  Two or more XML files are stored inside that folder, app.xml that stores metadata information extracted from the Word application itself and core.xml that stores metadata from the document itself, such as the author name, last time it was printed, etc.
+
== [[Prefetch]] ==
 +
The prefetch hash function is similar to [[Windows 2008]].
  
Another folder contains the actual content of the document, in a Word document, or an .docx document the folder's name is word.  A XML file called document.xml is the main document, containing most of the content of the document itself.
+
The [[Windows Prefetch File Format]] was changed on Windows 8.1 to version 26. (note this could be Windows 8 as well but has not been confirmed)
  
= Relationship to OOXML =
+
== Registry ==
 +
The [[Windows_Registry|Windows Registry]] remains a core component of the Windows operating system.
  
Office Open XML is an open XML standard developed by Microsoft for word processing documents, spreadsheets, presentations and charts. The OOXML standard was submitted to the ISO for approval.  After initially being rejected over technical concerns, the ISO approved a modified version as ISO/IEC 29500:2008. Microsoft intended to use the OOXML standard for its Office suite. However, Office does not support the standard that the ISO approved, it only supports the standard that was originally rejected by the ISO[http://arstechnica.com/microsoft/news/2010/04/iso-ooxml-convener-microsofts-format-heading-for-failure.ars]. As of Office 2010, Microsoft has still not brought its software into compliance with the standard.
+
== See Also ==
 +
* [[Windows]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
  
For most purposes OOXML may be considered a subset of DOCX (DOCX contains additional features, like OLE serialization).
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
* [http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html Windows 8 and 8.1: Search Charm History], by [[Jason Hale]], September 9, 2013
 +
* [http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html Amcache.hve in Windows 8 - Goldmine for malware hunters], by Yogesh Khatri, December 4, 2013
  
Documentation on OOXML may provide a guide to analysing a DOCX file.
+
[[Category:Operating systems]]
 
+
= Metadata =
+
 
+
== Core (Document) Properties ==
+
<pre>
+
docProps/core.xml
+
</pre>
+
 
+
<pre>
+
&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;
+
&lt;cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties"
+
    xmlns:dc="http://purl.org/dc/elements/1.1/"
+
    xmlns:dcterms="http://purl.org/dc/terms/"
+
    xmlns:dcmitype="http://purl.org/dc/dcmitype/"
+
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"&gt;
+
&lt;dc:creator&gt;User 1&lt;/dc:creator&gt;
+
&lt;cp:lastModifiedBy&gt;User 2&lt;/cp:lastModifiedBy&gt;
+
&lt;cp:revision&gt;3&lt;/cp:revision&gt;
+
&lt;dcterms:created xsi:type="dcterms:W3CDTF"&gt;2012-11-07T23:29:00Z&lt;/dcterms:created&gt;
+
&lt;dcterms:modified xsi:type="dcterms:W3CDTF"&gt;2013-08-25T22:18:00Z&lt;/dcterms:modified&gt;
+
&lt;/cp:coreProperties&gt;
+
</pre>
+
 
+
= External Links =
+
 
+
* [http://msdn.microsoft.com/en-us/library/aa338205.aspx Introducing the Office (2007) Open XML File Formats], by [[Microsoft]], May 2006
+
* [http://www.simson.net/clips/academic/2009.IEEE.DOCX.pdf The new XML Office Document Files: Implications For Forensics], [[Simson L. Garfinkel]] and James Migletz
+
* [http://blog.kiddaland.net/2009/06/office-2007-metadata/ Perl script that displays metadata information that is extracted from an OpenXML document], by [[Kristinn Gudjonsson]], June 2009
+
* [http://blog.kiddaland.net/2009/07/antiword-for-office-2007/ Perl script that displays the content of a Docx document, similar to Antiword], by [[Kristinn Gudjonsson]], July 2009
+
* [http://computer-forensics.sans.org/blog/2009/07/10/office-2007-metadata/ Office 2007 Metadata], by [[Kristinn Gudjonsson]], July 10, 2009
+
 
+
[[Category:File Formats]]
+

Revision as of 02:07, 5 December 2013

Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.

New Features

The following new features were introduced in Windows 8:

File System

The file system used by Windows 8 is primarily NTFS.

The Resilient File System (ReFS) was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.

Jump Lists

Jump Lists are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.

Prefetch

The prefetch hash function is similar to Windows 2008.

The Windows Prefetch File Format was changed on Windows 8.1 to version 26. (note this could be Windows 8 as well but has not been confirmed)

Registry

The Windows Registry remains a core component of the Windows operating system.

See Also

External Links