ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Encase hash files" and "Microsoft Office File formats"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
  
Although [[EnCase]] can import a variety of [[MD5]] hash file formats, it uses a proprietary format to store its hashes. [[Metadata]] is stored at the hash set level. That is, individual hashes do not contain any information specific to them, but the set as a whole can contain some information. No filenames are stored with the hashsets.
+
==Office versions, applications and file formats==
 +
* pre 95 DOS versions
 +
* pre 95 Windows versions
 +
** Microsoft Word 6.0
 +
* Microsoft Office 95
 +
* Microsoft Office 97 - 2003
 +
** Uses the [[OLE Compound File]] format for most of the file formats
 +
*** Microsoft Word uses the [[Word Document (DOC)]] file format
 +
*** Microsoft Excel uses the [[Excel Spreadsheet (XLS)]] file format
 +
*** Microsoft PowerPoint uses the [[PowerPoint Presentation (PPT)]] file format
 +
*** Microsoft Publisher
 +
*** Microsoft Visio
 +
** Microsoft Outlook uses multiple file formats for different purposes
 +
*** the [[Personal Folder File (PAB, PST, OST)]] format to store e-mails, appointments, tasks, notes, contacts, etc. The PFF format changed from a 32-bit to a 64-bit version in Outlook 2003.
 +
*** the [[Nickfile (NK2)]] format to store e-mail address aliases
 +
** Microsoft Access uses a file format based on Microsoft Joint Engine Technology (JET)
 +
* Microsoft Office 2007
 +
** Uses the [[ZIP archive]] file format for most of the file formats
 +
*** Microsoft Word uses the [[Word Document (DOCX)]] file format
 +
*** Microsoft Excel uses the [[Excel Spreadsheet (XLSB)]] and [[Excel Spreadsheet (XLSX)]] file formats
 +
*** Microsoft PowerPoint
 +
*** Microsoft Publisher
 +
*** Microsoft Visio
 +
** Microsoft Outlook
 +
** Microsoft Access
  
Version 3 of [[EnCase]] used a slightly different format than versions 4 and 5. The format for version 6 is not known. Both versions start with the header, in hexadecimal:
+
==See Also==
 +
*[[Tools:Document Metadata Extraction]]
 +
*[[Media:Compdocfileformat.pdf|Microsoft Compound Document File Format]]
  
<pre>48 41 53 48 0d 0a ff 00</pre>
+
==External Links==
  
In ASCII, this looks like <tt>HASH</tt> followed by a newline.
+
===Microsoft.com links===
 +
* [http://msdn.microsoft.com/en-us/library/aa338205.aspx Introducing the Office (2007) Open XML File Formats]
 +
* [http://msdn.microsoft.com/en-us/library/cc313105.aspx Microsoft Office Binary File Format Documents]
 +
* [http://www.microsoft.com/interop/docs/OfficeBinaryFormats.mspx Microsoft Office Binary (doc, xls, ppt) File Formats]
 +
* [http://office.microsoft.com/en-us/products/ha102058151033.aspx Ecma Office Open XML File Formats overview]
 +
* [http://office.microsoft.com/en-us/help/HA100069351033.aspx Introduction to new file name extensions and Open XML Formats]
 +
===Evaluations===
 +
* [http://www.joelonsoftware.com/items/2008/02/19.html Why are the Microsoft Office file formats so complicated? (And some workarounds)]
  
The hashes begin at offset 0x480 in the file.  
+
===Wikipedia===
 +
* [http://en.wikipedia.org/wiki/Microsoft_Word Wikipedia article on Microsoft Word]
 +
* [http://en.wikipedia.org/wiki/Object_Linking_and_Embedding Wikipedia article on OLE]
  
== See also ==
+
[[Category:File Formats]]
 
+
* [[EnCase]]
+

Latest revision as of 20:26, 13 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Office versions, applications and file formats

  • pre 95 DOS versions
  • pre 95 Windows versions
    • Microsoft Word 6.0
  • Microsoft Office 95
  • Microsoft Office 97 - 2003
  • Microsoft Office 2007

See Also

External Links

Microsoft.com links

Evaluations

Wikipedia