Difference between pages "Encase hash files" and "Microsoft Office File formats"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
  
Although [[EnCase]] can import a variety of [[MD5]] hash file formats, it uses a proprietary format to store its hashes. [[Metadata]] is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.
+
==Office versions, applications and file formats==
 +
* pre 95 DOS versions
 +
* pre 95 Windows versions
 +
** Microsoft Word 6.0
 +
* Microsoft Office 95
 +
* Microsoft Office 97 - 2003
 +
** Uses the [[OLE Compound File]] format for most of the file formats
 +
*** Microsoft Word uses the [[Word Document (DOC)]] file format
 +
*** Microsoft Excel uses the [[Excel Spreadsheet (XLS)]] file format
 +
*** Microsoft PowerPoint uses the [[PowerPoint Presentation (PPT)]] file format
 +
*** Microsoft Publisher
 +
*** Microsoft Visio
 +
** Microsoft Outlook uses multiple file formats for different purposes
 +
*** the [[Personal Folder File (PAB, PST, OST)]] format to store e-mails, appointments, tasks, notes, contacts, etc. The PFF format changed from a 32-bit to a 64-bit version in Outlook 2003.
 +
*** the [[Nickfile (NK2)]] format to store e-mail address aliases
 +
** Microsoft Access uses a file format based on Microsoft Joint Engine Technology (JET)
 +
* Microsoft Office 2007
 +
** Uses the [[ZIP archive]] file format for most of the file formats
 +
*** Microsoft Word uses the [[Word Document (DOCX)]] file format
 +
*** Microsoft Excel uses the [[Excel Spreadsheet (XLSB)]] and [[Excel Spreadsheet (XLSX)]] file formats
 +
*** Microsoft PowerPoint
 +
*** Microsoft Publisher
 +
*** Microsoft Visio
 +
** Microsoft Outlook
 +
** Microsoft Access
  
Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:
+
==See Also==
 +
*[[Tools:Document Metadata Extraction]]
 +
*[[Media:Compdocfileformat.pdf|Microsoft Compound Document File Format]]
  
<pre>48 41 53 48 0d 0a ff 00</pre>
+
==External Links==
  
In ASCII, this looks like <tt>HASH</tt> followed by a newline.
+
===Microsoft.com links===
 +
* [http://msdn.microsoft.com/en-us/library/aa338205.aspx Introducing the Office (2007) Open XML File Formats]
 +
* [http://msdn.microsoft.com/en-us/library/cc313105.aspx Microsoft Office Binary File Format Documents]
 +
* [http://www.microsoft.com/interop/docs/OfficeBinaryFormats.mspx Microsoft Office Binary (doc, xls, ppt) File Formats]
 +
* [http://office.microsoft.com/en-us/products/ha102058151033.aspx Ecma Office Open XML File Formats overview]
 +
* [http://office.microsoft.com/en-us/help/HA100069351033.aspx Introduction to new file name extensions and Open XML Formats]
 +
===Evaluations===
 +
* [http://www.joelonsoftware.com/items/2008/02/19.html Why are the Microsoft Office file formats so complicated? (And some workarounds)]
  
The hashes begin at offset 0x480 in the file.  
+
===Wikipedia===
 +
* [http://en.wikipedia.org/wiki/Microsoft_Word Wikipedia article on Microsoft Word]
 +
* [http://en.wikipedia.org/wiki/Object_Linking_and_Embedding Wikipedia article on OLE]
  
== See also ==
+
[[Category:File Formats]]
 
+
* [[EnCase]]
+

Latest revision as of 16:26, 13 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Office versions, applications and file formats

  • pre 95 DOS versions
  • pre 95 Windows versions
    • Microsoft Word 6.0
  • Microsoft Office 95
  • Microsoft Office 97 - 2003
  • Microsoft Office 2007

See Also

External Links

Microsoft.com links

Evaluations

Wikipedia