New XML-Based Files: Implications for Forensics

For more than 20 years, programs such as Microsoft Word have stored their documents in binary file formats. That s changing as Microsoft, Sun Microsystems, and other developers migrate to new XML-based formats for document files. Document files are of critical interest to forensic practitioners beca...

Full description

Saved in:
Bibliographic Details
Main Authors: Garfinkel, Simson L, Migletz, James J
Format: Report
Language:English
Subjects:
DOCUMENTS
FILES(RECORDS)
FORENSIC ANALYSIS
FORMATS
Information Science
MARKUP LANGUAGES
MATERIALS
METADATA
XML(EXTENSIBLE MARKUP LANGUAGE)
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:For more than 20 years, programs such as Microsoft Word have stored their documents in binary file formats. That s changing as Microsoft, Sun Microsystems, and other developers migrate to new XML-based formats for document files. Document files are of critical interest to forensic practitioners because of the data they contain; they re also a rich topic for forensic research. Although most investigations concern themselves solely with a document s surface content, some examinations dive deeper, examining the metadata or deleted material that s still present in the file. Investigators can, for instance, use metadata to identify individuals potentially responsible for unauthorized !le modi!cation, establish text plagiarization, or even indicate falsification of evidence. Unfortunately, metadata can also be modified to implicate innocent people and the ease of modifying these new files means that it s far easier to make malicious modifications that are dfficult (if not impossible) to detect. With so many aspects to consider, we present a forensic analysis of the two rival XML-based of- !ce document !le formats: the Oce Open XML (OOX) that Microsoft adopted for its Oce software suite and the OpenDocument Format (ODF) used by Sun s OpenOce software. We detail how forensic tools can exploit features in these !le formats and show how these formats could cause problems for forensic practitioners. For additional information on the development and increased use of these two !le formats, see the Background sidebar. Published in IEEE Security and Privacy, p38-44 Mar-Apr 2009.