[woodyat_private: Office XP document numbers can be linked to individual machines]

From: Seth Arnold (sarnoldat_private)
Date: Wed Nov 13 2002 - 22:52:01 PST

Next message: Craig Earnshaw: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"

Previous message: geoffrey: "Large file support in TASK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bugtraq email that seemed on-topic for forensics as well.

----- Forwarded message from Woody Leonhard <woodyat_private> -----

Date: 13 Nov 2002 14:10:47 -0000
From: Woody Leonhard <woodyat_private>
To: bugtraqat_private
Subject: Office XP document numbers can be linked to individual machines

When you use Outlook 2002 to attach a document, spreadsheet or 
presentation to an email message, Outlook sticks four items in the 
document?s File | Properties | Custom dialog box. They?re called:

_AdHocReviewCycleID
_AuthorEmail
_AuthorEmailDisplayName
_EmailSubject

The last three entries are pretty straightforward: Outlook 2002 grabs 
your email address, your name, and the message?s subject, and sticks them 
in the document. (See http://www.woodyswatch.com/office/archtemplate.asp?
v7-n50 )

The _AdHocReviewCycleID entry had me stumped until Beth Melton pointed me 
to a footnote on her ?Do You Want to Merge Changes? page at 
http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=107 . Here?s 
what?s happening.

When you attach a document to an email message in Outlook 2002, Outlook 
assigns it a ten-digit number ? let?s call it a document number - then 
updates a file on your PC called AdHoc.rcd with the name of the document, 
its location, and that document number. 

AdHoc.rcd is an old-fashioned .ini file. My copy is stored in 
c:\Documents and Settings\Woody\Application Data\Microsoft\Office. 
AdHoc.rcd appears to store the document numbers and full document path 
for the last 99 documents that were attached to email messages.

So you send out an Office document, attached to an email message. It?s 
branded by Outlook 2002 with a specific (apparently more or less randomly 
generated) ten digit _AdHocReviewCycleID. The recipient saves the file, 
makes her edits, attaches it to another email message, and shoots it back 
to you. Outlook 2002 is smart enough to NOT overwrite the 
_AdHocReviewCycleID in the document if one is already present, I believe, 
so when you get the document back, the original document number is intact.

When you open the document in Word, Excel, or PowerPoint ? doesn?t matter 
if you save the document first, and then open it, or if you open it 
directly while you?re looking at the email message ? the application is 
smart enough to look for _AdHocReviewCycleID, look it up in AdHoc.rcd, 
and hit you with the grating message

?Do you want to merge changes in ?WOW751.doc? back into ?c:\Documents and 
Settings\Woody\My Documents\SomeFolder\WOW751.doc??
Yes | No | No, And don?t ask again

if there?s a match on _AdHocReviewCycleID.

For example, when I sent the last issue of Woody?s Office Watch to Peter 
Deegan for editing, I used Outlook 2002 to attach it to an email message. 
Outlook created a section that looks like this in my AdHoc.rcd file:

[1294394770]
Path=C:\Documents and Settings\Woody\My Documents\WOW\WOW751.doc
Slot=Doc93

If I look back at the copy of WOW751.doc that I sent to Peter last week, 
sure enough, the File | Properties | Custom box contains 

_AdHocReviewCycleID  1294394770

If I open the copy of WOW751.doc that I attached to the message I sent to 
Peter, I get that grating question.

And that explains why I can send a file to my editor, he can make 
changes ? even change the file name ? and send it back to me, and when I 
open it, Word will still pop up with that grating message.

This near-unique branding of documents with ten digit numbers leads to 
some interesting questions. For example, if you have a document with a 
specific _AdHocReviewCycleID, can you tell which machine it originated 
on? Granted, you?d have to look at the AdHoc.rcd file on any suspect 
machines. But how is this any better (or worse) than the old Office 97 
document ?unique identifier? problems?

(If you weren?t around for that controversy several years ago, check out 
http://news.com.com/2100-1001-222876.html?legacy=cnet or 
http://www.byte.com/documents/s=146/byt19990906s0012/index3.htm or 
http://www.woodyswatch.com/office/archtemplate.asp?v4-n12 for a 
description of the way Office 97 would brand documents with a unique 
identifier.)

More than that, why does Word use these document numbers even when you 
uncheck the Tools | Options | Security | ?Store random number to improve 
merge accuracy? box?

Or am I missing something?

----- End forwarded message -----

-- 
http://sardonix.org/

application/pgp-signature attachment: stored

Next message: Craig Earnshaw: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"
Previous message: geoffrey: "Large file support in TASK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 09:30:40 PST