----- Original Message ----- From: <crazybarryat_private> To: <forensicsat_private> Sent: Wednesday, September 19, 2001 9:10 AM Subject: Re: Forensics on Word Documents > > Just downloaded Strings from sysinternals. Very cool :) > But I do have a question about it.... > > Although it gives me lots of information about the file there still seems > to be lots of information missing. Such as the actual text of the > document. Also, I believe that the printer that the document was defaulted > to print to is also included as part of the document. So question > is....where's the rest of the stuff?? Strings only strips out the ASCII and UNICODE from compiled and object files. Here is what MSDN says about how the rest of the data is stored... `Microsoft Word saves its data in an OLE Compound file that is made up of streams and storages. In particular, it creates a data stream called "WordDocument" where it saves the contents and a special header called a "FIB" (File information block). This header contains information about the various attributes of the file that are documented in the MSDN as well as the version of Microsoft Word that saved the document.` (from: http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q174140 ) ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 12:02:39 PDT