microsoft office upload center cache files in forensic
play

Microsoft Office Upload Center Cache Files in Forensic - PowerPoint PPT Presentation

Oct 28, 2023 •172 likes •412 views

Microsoft Office Upload Center Cache Files in Forensic Investigations Rick van Gorp, Kotaiba Alachkar Supervisor: Yonne de Bruijn Fox-IT MSc System and Network Engineering University of Amsterdam February 6, 2018 Rick van Gorp, Kotaiba

  1. Microsoft Office Upload Center Cache Files in Forensic Investigations Rick van Gorp, Kotaiba Alachkar Supervisor: Yonne de Bruijn Fox-IT MSc System and Network Engineering University of Amsterdam February 6, 2018 Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 1 / 22

  2. Overview - Definition of cache files Microsoft Office Cache Files: generated by Microsoft Office Upload Center. Path: \Users\<USERNAME>\AppData\Local\Microsoft\Office\<VERSION> \OfficeFileCache File format list: FSD-files : used to store the document FSF-files : used as a connecting point between the FSD-file and CentralTable.accdb CentralTable.accdb : used to store all metadata regarding the upload process Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 2 / 22

  3. Overview (cont.) Figure 1: States of cache files during the upload process to OneDrive Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 3 / 22

  4. Problem Statement & Research Question Only speculation on what forensic value the FSD- and FSF- files have “ 1.2 Billion Microsoft Office Users and 200 Million OneDrive users in 2014” 1 Research Question In what way do the cache files produced by Microsoft Office Upload Center contribute to a forensic investigation? 1 Microsoft by the Numbers: https://news.microsoft.com/bythenumbers/planet-office Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 4 / 22

  5. Related Work 1 Cloud Hosted Data in Digital Forensics (Slidedeck - 2014): Australian technology company called Nuix Briefly described the global contents of CentralTable.accdb 2 Windows 10 Forensics - OS Evidentiary Artefacts (Slidedeck - 2015): Australian Researcher Brent Muir Manually carve document from FSD-files but no methodology published Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 5 / 22

  6. Methods Generate dataset: cache files in all five states two users on a Windows 7 VM running Microsoft Office 2016 .pptx, .docx, and .xlsx to upload: empty, large ( 5MB) and with one line of text (with & without an image) Perform statistical analysis: determine what information is available and what not under what circumstances Derive unknown file formats: length, offsets, known file headers, number of files, and checksums in data sections Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 6 / 22

  7. Results Results outline: 1 File description 2 Availability of information 3 Retrieved data implication Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 7 / 22

  8. File Description - FSD-file The size of an FSD-file differs depending on the size of a source document Table 1: Examples of differences between file sizes of input documents and FSD-files per state Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 8 / 22

  9. File Description - FSD-file (cont.) Global file format derived from comparisons FSD-file: Magic Header (16 bytes) Unknown data (8176 bytes) Subsection (appearing α times): Header A (8 bytes) Unknown data ( β bytes) Header K (8 bytes) Optional Section Q (appearing γ times) Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 9 / 22

  10. File Description - FSD-file (cont.) Optional Section Q: Header Q (8 bytes) Data (Unknown bytes) End of data header Q - 79 05 (2 bytes) Data: Contains ZIP-archive headers and image headers Implies (part of) Office document is in the FSD-file Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 10 / 22

  11. File Description - FSF-file The file format of the FSF-file: FSF-file points to FSD-file name: Used by CentralTable to connect metadata in CentralTable to FSD-file Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 11 / 22

  12. File Description - CentralTable.accdb Microsoft Access database (Date/time unreadable) 2 Metadata about documents submitted to Microsoft Upload Center It consists of the following tables: MasterFile 1 CacheProperties 2 IncomingEvents 3 OutgoingEvents 4 ServerTarget 5 2 https://github.com/rickvg/office-cachefiles Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 12 / 22

  13. File Description - CentralTable.accdb (cont.) Table MasterFile contains most metadata: Pointer to the FSF-file ( FileEntryFileID ) Name of the file Author of the file E-mail address of uploader Remote location of file (If uploaded) Dates and times: Modified and Uploaded (Server & Local) Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 13 / 22

  14. Availability of Information Our CentralTable parser shows old rows in table MasterFile 3 CentralTable: Count of rows per state increases for table MasterFile Figure 2: Mean count of rows per state for table MasterFile 3 https://github.com/rickvg/office-cachefiles Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 14 / 22

  15. Availability of Information (contd.) Generic changes during state transitions: Tables MasterFile and CacheProperties change the revision number in column ColumnRevisionID MasterFile-table changes during state transitions: Most changes CacheProperties-table changes during state transitions: No patterns found Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 15 / 22

  16. Availability of Information - Document Recovery Document recovery from cache files: Manual or Automatic With or without Microsoft Office 2016 Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 16 / 22

  17. Availability of Information - Document Recovery (contd.) Automatic with Microsoft Office 2016 CentralTable requires records for uploading a file Column FileEntryID in table MasterFile must point to FSF-file GUID Column FFileSavedToServer in table MasterFile must be set to 0 FSF-file can be generated for any FSD-file Recover full document including its images and metadata Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 17 / 22

  18. Availability of Information - Document Recovery (contd.) Manual or automatic without Microsoft Office 2016 Extraction script for small documents and parts of large documents 4 Figure 3: Extraction method for small documents without images 4 https://github.com/rickvg/office-cachefiles Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 18 / 22

  19. Retrieved Data Implication In our research, the retrieved data is divided into two parts: (Parts of) original documents Metadata related to documents Additional evidence in a forensic investigation 5 5 http://ieeexplore.ieee.org/document/7379751/ Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 19 / 22

  20. Conclusion FSD-file is used to store the document, FSF-file is used as a connecting point between the FSD-file and CentralTable.accdb and CentralTable.accdb is used to store all metadata regarding the document (Parts of) documents and its own metadata can be retrieved from FSD-files Check whether entries in table MasterFile have been manipulated (not which) The large amount of metadata with(out) the document could be used as additional evidence in a forensic investigation Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 20 / 22

  21. Future Work Exploring the FSD-file format in more details Extending FSD-files Documents Extractor script to support large-size documents and documents including images Expanding the research to include various Microsoft Office versions , Operating Systems , and file-hosting cloud platforms Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 21 / 22

  22. The End Thank you for your attention Do you have any questions? Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 22 / 22

Recommend

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to AccessUH, login with your Cougarnet credentials and then click Office 365. Search for Stream to find the Microsoft Stream app.

138 views • 3 slides
Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod Cassidian Wednesday, August 3, 2011 The world is moving to the cloud E.

1.84k views • 171 slides
Microsoft Excel 2003 Powerpoint Presentation Why are files opened in office 365 apps(e.g, Word,

Microsoft Excel 2003 Powerpoint Presentation Why are files opened in office 365 apps(e.g, Word,

Microsoft Excel 2003 Powerpoint Presentation Why are files opened in office 365 apps(e.g, Word, Excel, Powerpoint) from any other iOS workbook (.xls), or Microsoft PowerPoint 97-2003 presentation (.ppt). Users of Microsoft Office XP (Word XP,

48 views • 4 slides
The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

File Upload / Download Perl Scripts The five Perl scripts must be installed on the conference file server to enable authors and editors to upload and download manuscript and talk files. The file server must have an up-to-date version of

272 views • 9 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office Suite It is used primarily to enter, edit, format, save, retrieve and print documents Objectives Identify the main components of the user

399 views • 29 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic

Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic

Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic Science Center Forensic Science Center Medical Examiner: Cause/Manner of Death Medical Examiner: Cause/Manner of Death Forensic Chemistry:

392 views • 28 slides
Getting Started with Microsoft Office 2013 Objectives Understand Office Professional Plus

Getting Started with Microsoft Office 2013 Objectives Understand Office Professional Plus

Getting Started with Microsoft Office 2013 Objectives Understand Office Professional Plus 2013 Start an Office app Identify common screen elements in an Office app Use the Ribbon and zoom controls Microsoft Office

357 views • 25 slides
Syslog and Log Rotate Computer Center, CS, NCTU Log files Execution information of each

Syslog and Log Rotate Computer Center, CS, NCTU Log files Execution information of each

Syslog and Log Rotate Computer Center, CS, NCTU Log files Execution information of each services sshd log files httpd log files ftpd log files Purpose For post tracking Like insurance 2 Computer Center, CS,

231 views • 22 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Working in the Cloud Objectives Understand Office 2013 in the Cloud Work Online

Working in the Cloud Objectives Understand Office 2013 in the Cloud Work Online

Working in the Cloud Objectives Understand Office 2013 in the Cloud Work Online Explore SkyDrive Manage Files on SkyDrive Microsoft Office 2013 Illustrated Fundamentals 2 Objectives Share Files Explore Office Web Apps

585 views • 26 slides
5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the Microsoft Office Suite. It is used primarily to enter, edit, format, sort, perform mathematical computations, save, retrieve and print numeric

717 views • 32 slides
Microsoft Office Online What you can do for free Starting Microsoft online You must have a

Microsoft Office Online What you can do for free Starting Microsoft online You must have a

Microsoft Office Online What you can do for free Starting Microsoft online You must have a Microsoft account its free too Start your browser Edge is best for this Go to one of these sites Office.com starts

604 views • 22 slides
Microsoft Office Powerpoint Presentation 2007 For Windows 7 free download microsoft office

Microsoft Office Powerpoint Presentation 2007 For Windows 7 free download microsoft office

Microsoft Office Powerpoint Presentation 2007 For Windows 7 free download microsoft office powerpoint 2007 full version - Apache OpenOffice (OpenOffice.org) A great (and free) alternative to Microsoft Office..free One-stop-office..like

207 views • 4 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Shankar Am bady Microsoft New England Research and Development Center, December 14, 2010 Example

Shankar Am bady Microsoft New England Research and Development Center, December 14, 2010 Example

Shankar Am bady Microsoft New England Research and Development Center, December 14, 2010 Example Files Hosted on Github https://github.com/shanbady/NLTK-Boston-Python-Meetup What is Natural Language Processing? i. Where is this stuff

1.13k views • 84 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Microsoft Academic Graph Academic Graph Viszards session Pajek files Years Authors and

Microsoft Academic Graph Academic Graph Viszards session Pajek files Years Authors and

MAG V. Batagelj Microsoft Microsoft Academic Graph Academic Graph Viszards session Pajek files Years Authors and Vladimir Batagelj keywords Derived networks IMFM Ljubljana and IAM UP Koper Citation network XXXVI Sunbelt 2016

414 views • 26 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU

OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU

CACHE DIRECTIVE OPTIMIZATION IN THE OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU ARCHITECTURE Threads Register Files Shared L1 Read-Only Memory Cache Data Cache L2 Cache Texture Constant GPU

806 views • 23 slides
Adding slides to a Video Upload in MyMediasite 1. Upload your video by following the Basic Video

Adding slides to a Video Upload in MyMediasite 1. Upload your video by following the Basic Video

Adding slides to a Video Upload in MyMediasite 1. Upload your video by following the Basic Video Upload to MyMediasite instructions. 2. Wait for processing to finish. You will receive an automated email when the presentation is ready. 3. Slide

493 views • 5 slides

More recommend