Difference between pages "Upcoming events" and "Word Document (DOC)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(File Header)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
The '''DOC file format''' ('''document file format''') usually has the '''.doc''' extension. Mostly these documents belong to [[Microsoft]] [[Word]] software files. However, other text editing software can be used to display these files (including [[WordPad]], [[WordPerfect]], [[OpenOffice]] and others).
Events should be posted in the correct section, and in date order. An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
The DOC file format should not be confused with [[DOCX]].
  
This listing is divided into four sections (described as follows):<br>
+
== MIME types ==
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv. 
+
The following [[MIME types]] apply to this [[file format]]:
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
* application/msword
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
* application/doc
 +
* appl/text
 +
* application/vnd.msword
 +
* application/vnd.ms-word
 +
* application/winword
 +
* application/word
 +
* application/x-msw6
 +
* application/x-msword
 +
* zz-application/zz-winassoc-doc
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
== File Header ==
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|American Academy of Forensic Sciences 2010 Annual Meeting
+
|Aug 01, 2009
+
|Nov, 2009
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|IEEE Symposium on Security and Privacy 2010
+
|Nov 2009
+
|
+
|-
+
|ShmooCon 2010
+
|Dec 2009
+
|Jan 2010
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|AusCERT Conference 2010
+
|Dec 2009
+
|Jan 2010
+
|http://conference.auscert.org.au/conf2010/cfp2010.html
+
|-
+
  
|}
+
MS Word documents of version 97 (and probably earlier) begin with the file signature (in hexadecimal) d0cf11e0a1b11ae1 .
 +
This signature signifies the file to be an OLE Compound File (AKA Compound Document File or Compound Binary File)
  
== Conferences ==
+
The OLE Compound File has no distinct footer and a can be considered a file containing a FAT like file system.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|ACM Northeast Digital Forensics Exchange
+
|Jul 20-21<br>John Jay College of Criminal Justice/CUNY, NY, NY
+
|http://www.nefx.org/
+
|-
+
|Blackhat USA 2009
+
|Jul 25-30<br>Las Vegas, NV
+
|https://www.blackhat.com/
+
|-
+
|DefCon 17
+
|Jul 31-Aug 02<br>Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|Usenix Security Sypmosium
+
|Aug 10-14<br>Montreal, Quebec, Canada
+
|http://www.usenix.org/events/sec09/
+
|-
+
|3rd International Workshop on Computational Forensics
+
|Aug 13-14<br>The Hague, The Netherlands
+
|http://iwcf09.arsforensica.org/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19<br>Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
|-
+
|GFIRST Annual Conference
+
|Aug 23-28<br>Atlanta, GA
+
|http://www.us-cert.gov/GFIRST/index.html
+
|-
+
|International Workshop on Leveraging Social Patterns for Security, Privacy and Network Architectures
+
|Aug 29-31<br>Vancouver, British Columbia, Canada
+
|http://sp4spna.media.mit.edu
+
|-
+
|Journées francophones de l'investigation numérique (French speaking)
+
|Sep 01-03<br>Neuchâtel, Switzerland
+
|http://www.afsin.org/
+
|-
+
|Triennial Meeting of the European Academy of Forensic Science
+
|Sep 08-11<br>Glasgow, Scotland, UK
+
|http://www.eafs2009.com/
+
|-
+
|New Security Paradigms Workshop (NSPW)
+
|Sep 08-11<br>University of Oxford, UK
+
|http://www.nspw.org/current/
+
|-
+
|Army Research Office Workshop on Digital Forensics
+
|Sep 10-11<br>Washington DC
+
|http://www.engineering.iastate.edu/~guan/ARO-DF/ARO-DF.html
+
|-
+
|International Conference on IT Security Incident Management & IT Forensics
+
|Sep 15-17<br>Stuttgart, Germany
+
|http://imf-conference.org/
+
|-
+
|Hacker Halted USA 2009
+
|Sep 20-24<br>Miami, FL
+
|http://www.hackerhalted.com
+
|-
+
|VB2009 - Fighting malware and spam
+
|Sep 23-25<br>Geneva, Switzerland
+
|http://www.virusbtn.com/conference/vb2009/
+
|-
+
|Recent Advances in Intrusion Detection (RAID) International Symposium
+
|Sep 23-25<br>Saint-Malo, Brittany, France
+
|http://www.rennes.supelec.fr/RAID2009/index.html
+
|-
+
|International ICST Conference on Digital Forensics & Cyber Crime (ICDF2C)
+
|Sep 30 - October 02<br>Albany, NY
+
|http://www.d-forensics.org/
+
|-
+
|Evidence in the Information Age
+
|Oct 23-24<br>Duquesne University, Pittsburgh, PA
+
|http://www.forensics.duq.edu/conference/conferencefront.html
+
|-
+
|Techno Forensics & Digital Investigations Conference
+
|Oct 26-28<br>Gaithersburg, MD
+
|http://www.techsec.com/html/TechnoForensics2009.html
+
|-
+
|USENIX Large Installation System Administration Conference (LISA)
+
|Nov 01-06<br>Baltimore, MD
+
|http://www.usenix.org/events/lisa09/
+
|-
+
|16th ACM Conference on Computer and Communications Security
+
|Nov 09-13<br>Chicago, IL
+
|http://www.sigsac.org/ccs/CCS2009/index.shtml
+
|-
+
|ACM Cloud Computing Security Workshop
+
|Nov 13<br>Chicago, IL
+
|http://crypto.cs.stonybrook.edu/ccsw09/
+
|-
+
|DeepSec In-Depth Security Conference
+
|Nov 17-20<br>Vienna, Austria
+
|https://deepsec.net/
+
|-
+
|First IEEE Workshop on Information Forensics and Security
+
|Dec 06-09<br>London, England
+
|http://www.wifs09.org/
+
|-
+
|DoD Cyber Crime Conference
+
|Jan 22-29<br>St. Louis, MO
+
|http://www.dodcybercrime.com/10CC/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb. 22-27<br>Seattle, WA
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|VB2010 Fighting malware and spam
+
|Sep 29 - Oct 01<br>Vancouver, BC, Canada
+
|http://www.virusbtn.com/conference/vb2010/
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
The Word document format is places on top of the OLE Compound File.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|Champlain College - CCE Course
+
|Online / Distance Learning Format
+
|http://extra.champlain.edu/cps/wdc/alliances/cce/landing/
+
|-
+
|Las Positas College
+
|Online Computer Forensics Courses
+
|http://www.laspositascollege.edu
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|MaresWare Suite Training
+
|First full week every month<br>Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
  
==See Also==
+
The object stream of a word documents contains the string "Word.Document" with some version.
* [[Scheduled Training Courses]]
+
 
==References==
+
== Encryption ==
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
 
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
Versions 97/2000 encrypt documents with a very weak algorithm. This password scheme can be broken easily by several different products and it is possible to decrypt the contents without discovering the password. This is done by testing all 1,099,511,627,776 possible keys. Ultimate Zip Cracker by VDGSoftware is one utility that can perform this decryption.
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
== See Also==
 +
[[Media:Compdocfileformat.pdf|Microsoft Compound Document File Format]] (This is actually the OpenOffice specification)
 +
 
 +
[http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/WindowsCompoundBinaryFileFormatSpecification.pdf Compound Binary File Specification by Microsoft]
 +
 
 +
Be warned this file contains at least one error: the directory entry name length is a size in bytes not in characters.
 +
 
 +
== Extracting Strings ==
 +
 
 +
On a unix-like machine try this command to extract strings from a .doc file:
 +
 
 +
<code>
 +
cat /tmp/test.doc | tr -d \\0  | strings | more
 +
</code>
 +
 
 +
(where /tmp/test.doc is the path to your .doc file)
 +
 
 +
[[Category:File Formats]]

Revision as of 17:43, 30 January 2009

The DOC file format (document file format) usually has the .doc extension. Mostly these documents belong to Microsoft Word software files. However, other text editing software can be used to display these files (including WordPad, WordPerfect, OpenOffice and others).

The DOC file format should not be confused with DOCX.

MIME types

The following MIME types apply to this file format:

  • application/msword
  • application/doc
  • appl/text
  • application/vnd.msword
  • application/vnd.ms-word
  • application/winword
  • application/word
  • application/x-msw6
  • application/x-msword
  • zz-application/zz-winassoc-doc

File Header

MS Word documents of version 97 (and probably earlier) begin with the file signature (in hexadecimal) d0cf11e0a1b11ae1 . This signature signifies the file to be an OLE Compound File (AKA Compound Document File or Compound Binary File)

The OLE Compound File has no distinct footer and a can be considered a file containing a FAT like file system.

The Word document format is places on top of the OLE Compound File.

The object stream of a word documents contains the string "Word.Document" with some version.

Encryption

Versions 97/2000 encrypt documents with a very weak algorithm. This password scheme can be broken easily by several different products and it is possible to decrypt the contents without discovering the password. This is done by testing all 1,099,511,627,776 possible keys. Ultimate Zip Cracker by VDGSoftware is one utility that can perform this decryption.

See Also

Microsoft Compound Document File Format (This is actually the OpenOffice specification)

Compound Binary File Specification by Microsoft

Be warned this file contains at least one error: the directory entry name length is a size in bytes not in characters.

Extracting Strings

On a unix-like machine try this command to extract strings from a .doc file:

cat /tmp/test.doc | tr -d \\0 | strings | more

(where /tmp/test.doc is the path to your .doc file)