New XML-Based Files: Implications for Forensics
Abstract
For more than 20 years, programs such as Microsoft Word have stored their documents in binary file formats. That s changing as Microsoft, Sun Microsystems, and other developers migrate to new XML-based formats for document files. Document files are of critical interest to forensic practitioners because of the data they contain; they re also a rich topic for forensic research. Although most investigations concern themselves solely with a document s surface content, some examinations dive deeper, examining the metadata or deleted material that s still present in the file. Investigators can, for instance, use metadata to identify individuals potentially responsible for unauthorized !le modi!cation, establish text plagiarization, or even indicate falsification of evidence. Unfortunately, metadata can also be modified to implicate innocent people and the ease of modifying these new files means that it s far easier to make malicious modifications that are dfficult (if not impossible) to detect. With so many aspects to consider, we present a forensic analysis of the two rival XML-based of- !ce document !le formats: the O"ce Open XML (OOX) that Microsoft adopted for its O"ce software suite and the OpenDocument Format (ODF) used by Sun s OpenO"ce software. We detail how forensic tools can exploit features in these !le formats and show how these formats could cause problems for forensic practitioners. For additional information on the development and increased use of these two !le formats, see the Background sidebar.
Document Details
- Document Type
- Technical Report
- Publication Date
- Apr 01, 2009
- Accession Number
- ADA549420
Entities
People
- James J. Migletz
- Simson Garfinkel
Organizations
- Naval Postgraduate School