microsoft office upload center cache files in forensic
play

Microsoft Office Upload Center Cache Files in Forensic - PowerPoint PPT Presentation

Oct 28, 2023 •172 likes •412 views

Microsoft Office Upload Center Cache Files in Forensic Investigations Rick van Gorp, Kotaiba Alachkar Supervisor: Yonne de Bruijn Fox-IT MSc System and Network Engineering University of Amsterdam February 6, 2018 Rick van Gorp, Kotaiba

  1. Microsoft Office Upload Center Cache Files in Forensic Investigations Rick van Gorp, Kotaiba Alachkar Supervisor: Yonne de Bruijn Fox-IT MSc System and Network Engineering University of Amsterdam February 6, 2018 Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 1 / 22

  2. Overview - Definition of cache files Microsoft Office Cache Files: generated by Microsoft Office Upload Center. Path: \Users\<USERNAME>\AppData\Local\Microsoft\Office\<VERSION> \OfficeFileCache File format list: FSD-files : used to store the document FSF-files : used as a connecting point between the FSD-file and CentralTable.accdb CentralTable.accdb : used to store all metadata regarding the upload process Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 2 / 22

  3. Overview (cont.) Figure 1: States of cache files during the upload process to OneDrive Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 3 / 22

  4. Problem Statement & Research Question Only speculation on what forensic value the FSD- and FSF- files have “ 1.2 Billion Microsoft Office Users and 200 Million OneDrive users in 2014” 1 Research Question In what way do the cache files produced by Microsoft Office Upload Center contribute to a forensic investigation? 1 Microsoft by the Numbers: https://news.microsoft.com/bythenumbers/planet-office Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 4 / 22

  5. Related Work 1 Cloud Hosted Data in Digital Forensics (Slidedeck - 2014): Australian technology company called Nuix Briefly described the global contents of CentralTable.accdb 2 Windows 10 Forensics - OS Evidentiary Artefacts (Slidedeck - 2015): Australian Researcher Brent Muir Manually carve document from FSD-files but no methodology published Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 5 / 22

  6. Methods Generate dataset: cache files in all five states two users on a Windows 7 VM running Microsoft Office 2016 .pptx, .docx, and .xlsx to upload: empty, large ( 5MB) and with one line of text (with & without an image) Perform statistical analysis: determine what information is available and what not under what circumstances Derive unknown file formats: length, offsets, known file headers, number of files, and checksums in data sections Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 6 / 22

  7. Results Results outline: 1 File description 2 Availability of information 3 Retrieved data implication Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 7 / 22

  8. File Description - FSD-file The size of an FSD-file differs depending on the size of a source document Table 1: Examples of differences between file sizes of input documents and FSD-files per state Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 8 / 22

  9. File Description - FSD-file (cont.) Global file format derived from comparisons FSD-file: Magic Header (16 bytes) Unknown data (8176 bytes) Subsection (appearing α times): Header A (8 bytes) Unknown data ( β bytes) Header K (8 bytes) Optional Section Q (appearing γ times) Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 9 / 22

  10. File Description - FSD-file (cont.) Optional Section Q: Header Q (8 bytes) Data (Unknown bytes) End of data header Q - 79 05 (2 bytes) Data: Contains ZIP-archive headers and image headers Implies (part of) Office document is in the FSD-file Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 10 / 22

  11. File Description - FSF-file The file format of the FSF-file: FSF-file points to FSD-file name: Used by CentralTable to connect metadata in CentralTable to FSD-file Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 11 / 22

  12. File Description - CentralTable.accdb Microsoft Access database (Date/time unreadable) 2 Metadata about documents submitted to Microsoft Upload Center It consists of the following tables: MasterFile 1 CacheProperties 2 IncomingEvents 3 OutgoingEvents 4 ServerTarget 5 2 https://github.com/rickvg/office-cachefiles Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 12 / 22

  13. File Description - CentralTable.accdb (cont.) Table MasterFile contains most metadata: Pointer to the FSF-file ( FileEntryFileID ) Name of the file Author of the file E-mail address of uploader Remote location of file (If uploaded) Dates and times: Modified and Uploaded (Server & Local) Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 13 / 22

  14. Availability of Information Our CentralTable parser shows old rows in table MasterFile 3 CentralTable: Count of rows per state increases for table MasterFile Figure 2: Mean count of rows per state for table MasterFile 3 https://github.com/rickvg/office-cachefiles Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 14 / 22

  15. Availability of Information (contd.) Generic changes during state transitions: Tables MasterFile and CacheProperties change the revision number in column ColumnRevisionID MasterFile-table changes during state transitions: Most changes CacheProperties-table changes during state transitions: No patterns found Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 15 / 22

  16. Availability of Information - Document Recovery Document recovery from cache files: Manual or Automatic With or without Microsoft Office 2016 Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 16 / 22

  17. Availability of Information - Document Recovery (contd.) Automatic with Microsoft Office 2016 CentralTable requires records for uploading a file Column FileEntryID in table MasterFile must point to FSF-file GUID Column FFileSavedToServer in table MasterFile must be set to 0 FSF-file can be generated for any FSD-file Recover full document including its images and metadata Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 17 / 22

  18. Availability of Information - Document Recovery (contd.) Manual or automatic without Microsoft Office 2016 Extraction script for small documents and parts of large documents 4 Figure 3: Extraction method for small documents without images 4 https://github.com/rickvg/office-cachefiles Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 18 / 22

  19. Retrieved Data Implication In our research, the retrieved data is divided into two parts: (Parts of) original documents Metadata related to documents Additional evidence in a forensic investigation 5 5 http://ieeexplore.ieee.org/document/7379751/ Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 19 / 22

  20. Conclusion FSD-file is used to store the document, FSF-file is used as a connecting point between the FSD-file and CentralTable.accdb and CentralTable.accdb is used to store all metadata regarding the document (Parts of) documents and its own metadata can be retrieved from FSD-files Check whether entries in table MasterFile have been manipulated (not which) The large amount of metadata with(out) the document could be used as additional evidence in a forensic investigation Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 20 / 22

  21. Future Work Exploring the FSD-file format in more details Extending FSD-files Documents Extractor script to support large-size documents and documents including images Expanding the research to include various Microsoft Office versions , Operating Systems , and file-hosting cloud platforms Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 21 / 22

  22. The End Thank you for your attention Do you have any questions? Rick van Gorp, Kotaiba Alachkar (UvA) MS Office Upload Center Cache Files February 6, 2018 22 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to

UPLOAD VIDEOS TO MICROSOFT STREAM VIA ACCESSUH To upload a video on Microsoft Stream, go to AccessUH, login with your Cougarnet credentials and then click Office 365. Search for Stream to find the Microsoft Stream app.

138 views • 3 slides
Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod Cassidian Wednesday, August 3, 2011 The world is moving to the cloud E.

1.84k views • 171 slides
Microsoft Excel 2003 Powerpoint Presentation Why are files opened in office 365 apps(e.g, Word,

Microsoft Excel 2003 Powerpoint Presentation Why are files opened in office 365 apps(e.g, Word,

Microsoft Excel 2003 Powerpoint Presentation Why are files opened in office 365 apps(e.g, Word, Excel, Powerpoint) from any other iOS workbook (.xls), or Microsoft PowerPoint 97-2003 presentation (.ppt). Users of Microsoft Office XP (Word XP,

48 views • 4 slides
The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

The POD file NAME iaoptions.config Main (and only) configuration file for JACoW.upload,

File Upload / Download Perl Scripts The five Perl scripts must be installed on the conference file server to enable authors and editors to upload and download manuscript and talk files. The file server must have an up-to-date version of

272 views • 9 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office Suite It is used primarily to enter, edit, format, save, retrieve and print documents Objectives Identify the main components of the user

399 views • 29 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic

Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic

Forensic Science Center Forensic Science Center -10 Budget 10 Budget FY 09- FY 09 Forensic Science Center Forensic Science Center Medical Examiner: Cause/Manner of Death Medical Examiner: Cause/Manner of Death Forensic Chemistry:

392 views • 28 slides
Getting Started with Microsoft Office 2013 Objectives Understand Office Professional Plus

Getting Started with Microsoft Office 2013 Objectives Understand Office Professional Plus

Getting Started with Microsoft Office 2013 Objectives Understand Office Professional Plus 2013 Start an Office app Identify common screen elements in an Office app Use the Ribbon and zoom controls Microsoft Office

357 views • 25 slides
Syslog and Log Rotate Computer Center, CS, NCTU Log files Execution information of each

Syslog and Log Rotate Computer Center, CS, NCTU Log files Execution information of each

Syslog and Log Rotate Computer Center, CS, NCTU Log files Execution information of each services sshd log files httpd log files ftpd log files Purpose For post tracking Like insurance 2 Computer Center, CS,

231 views • 22 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Working in the Cloud Objectives Understand Office 2013 in the Cloud Work Online

Working in the Cloud Objectives Understand Office 2013 in the Cloud Work Online

Working in the Cloud Objectives Understand Office 2013 in the Cloud Work Online Explore SkyDrive Manage Files on SkyDrive Microsoft Office 2013 Illustrated Fundamentals 2 Objectives Share Files Explore Office Web Apps

585 views • 26 slides
5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the Microsoft Office Suite. It is used primarily to enter, edit, format, sort, perform mathematical computations, save, retrieve and print numeric

717 views • 32 slides
Microsoft Office Online What you can do for free Starting Microsoft online You must have a

Microsoft Office Online What you can do for free Starting Microsoft online You must have a

Microsoft Office Online What you can do for free Starting Microsoft online You must have a Microsoft account its free too Start your browser Edge is best for this Go to one of these sites Office.com starts

604 views • 22 slides
Microsoft Office Powerpoint Presentation 2007 For Windows 7 free download microsoft office

Microsoft Office Powerpoint Presentation 2007 For Windows 7 free download microsoft office

Microsoft Office Powerpoint Presentation 2007 For Windows 7 free download microsoft office powerpoint 2007 full version - Apache OpenOffice (OpenOffice.org) A great (and free) alternative to Microsoft Office..free One-stop-office..like

207 views • 4 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata Mathias

Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata Mathias

DynaRace Protecting Applications Against TOCTTOU Races by User-Space Caching of File Metadata Mathias Payer &amp; Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland TOCTTOU races Time Of Check To Time of Use (TOCTTOU)

828 views • 33 slides
The Bunker Cache for Spatio-Value Approximation Joshua San Miguel Jorge Albericio Natalie

The Bunker Cache for Spatio-Value Approximation Joshua San Miguel Jorge Albericio Natalie

The Bunker Cache for Spatio-Value Approximation Joshua San Miguel Jorge Albericio Natalie Enright Jerger Aamer Jaleel Data Movement and Storage off-chip memory shared last-level cache private caches processor core 2 Data Movement and

2.45k views • 87 slides
Investor Update Q4 FY 2017-18 May 2018 Den Networks Ltd. Comparable financial figures are for

Investor Update Q4 FY 2017-18 May 2018 Den Networks Ltd. Comparable financial figures are for

Investor Update Q4 FY 2017-18 May 2018 Den Networks Ltd. Comparable financial figures are for continued businesses only Slide 1 Investor Update Q4 FY 2017-18 Disclaimer The information in the presentation may contain forward-looking

581 views • 24 slides
Presentation to 495/MW Partnership 9.26.2017 Who is Transportation for Massachusetts? T4MA

Presentation to 495/MW Partnership 9.26.2017 Who is Transportation for Massachusetts? T4MA

Presentation to 495/MW Partnership 9.26.2017 Who is Transportation for Massachusetts? T4MA is a statewide coalition of more than 70 member and partner organizations. We advocate for better, smarter transportation policies across the

1.02k views • 24 slides
OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU

OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU

CACHE DIRECTIVE OPTIMIZATION IN THE OPENACC PROGRAMMING MODEL Xiaonan (Daniel) Tian, Brent Leback, and Michael Wolfe PGI GPU ARCHITECTURE Threads Register Files Shared L1 Read-Only Memory Cache Data Cache L2 Cache Texture Constant GPU

806 views • 23 slides
A System- -on on- -a a- -Chip Lock Chip Lock A System Cache with Task Preemption Cache

A System- -on on- -a a- -Chip Lock Chip Lock A System Cache with Task Preemption Cache

A System- -on on- -a a- -Chip Lock Chip Lock A System Cache with Task Preemption Cache with Task Preemption Support Support By By Bilge S. Bilge S. Akgul Akgul, , Jaehwan Jaehwan Lee and Lee and Vincent J. Mooney Vincent J.

204 views • 19 slides
An Introduction to An Introduction to Geocaching Geocaching Chris Kracik Chris Kracik aka

An Introduction to An Introduction to Geocaching Geocaching Chris Kracik Chris Kracik aka

An Introduction to An Introduction to Geocaching Geocaching Chris Kracik Chris Kracik aka BBWolf+ 3Pigs aka BBWolf+ 3Pigs &amp; &amp; Calvin Taft Calvin Taft aka Nomad64 aka Nomad64 What is Geocaching? What is Geocaching?

481 views • 20 slides
Cache la Poudre River National Heritage Area Supported and Managed by the Poudre Heritage

Cache la Poudre River National Heritage Area Supported and Managed by the Poudre Heritage

Cache la Poudre River National Heritage Area Supported and Managed by the Poudre Heritage Alliance What is a national heritage area? A designation, by Congress, that recognizes nationally significant resources and their role in defining a

108 views • 9 slides

More recommend