RE: Forensics on Word Documents

From: Umashankar Sathyanarayana (umashankar.sat_private)
Date: Wed Sep 19 2001 - 21:24:52 PDT

Next message: Michael Olden: "Technical Documents"

Previous message: Tim Haynes: "Re: Forensics on Word Documents"
In reply to: Nicole Haywood: "Re: Forensics on Word Documents"
Next in thread: Rowe, Eric: "RE: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Two things to do on windoze systems:

1. Open the document in a Hex Editor (search google for freeware) and see
text strings...
2. Go to
http://support.microsoft.com/directory/article.asp?ID=kb;en-us;Q186898 and
build this program...it was useful for me once...

-----Original Message-----
From: Nicole Haywood [mailto:N.Haywoodat_private]
Sent: Thursday, September 20, 2001 4:35 AM
To: crazybarryat_private; forensicsat_private
Subject: Re: Forensics on Word Documents

Try running it with strings -a which tells it to look for ascii instead of
unicode.

BTW thanks everyone for their suggestions. And yes the windows strings
utility came in very handy, as I didn't have access to unix to examine
files.

For those that are interested I am investigating a case of academic
misconduct. Basically two students handed in the same assignment, and one is
claiming the other student stole it, so I was trying to work out if there
was any evidence in the word document itself which might indicate which
student is telling the truth.

Thanks again,

Nicole

At 14:10 19/09/01 +0000, you wrote:

>Just downloaded Strings from sysinternals.  Very cool :)
>But I do have a question about it....
>
>Although it gives me lots of information about the file there still seems
>to be lots of information missing.  Such as the actual text of the
>document.  Also, I believe that the printer that the document was defaulted
>to print to is also included as part of the document.  So question
>is....where's the rest of the stuff??
>
>Thanks,
>Barry

--
Nicole Haywood                          Phone: +61 2 93515504
Network Security Officer                Fax:   +61 2 93515001
University of Sydney                    Email: N.Haywoodat_private

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Michael Olden: "Technical Documents"
Previous message: Tim Haynes: "Re: Forensics on Word Documents"
In reply to: Nicole Haywood: "Re: Forensics on Word Documents"
Next in thread: Rowe, Eric: "RE: Forensics on Word Documents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 20 2001 - 11:00:21 PDT