Forensic analysis of office open XML spreadsheets

Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Systems Security (MSc.ISS) at Strathmore UniversityDigital Forensics is the science of acquiring, preserving, analysing and presenting digital evidence from computers, digital devices and networks in a manner that is admissible in a court of law to support an investigation. Microsoft Office, LibreOffice, OpenOffice, NeoOffice and Google documents spreadsheets and presentations are widely used to store and circulate data and information especially within organisations. They are often rich in information deeply embedded in them that can be retrieved by examining metadata or deleted material still present in the files.OOXML is a standard developed by Microsoft and registered by ECMA (as ECMA-376), and approved by the ISO and IEC (as ISO/IEC 29500:2008) as an open standard for the development of Office documents, spreadsheets and presentations. Documents, spreadsheets and presentations created using this standard consist of zipped file containers, parts and relationships which upon extraction and analysis reveals forensically interesting information. Existing forensic tools have limitations as far as extracting and analysing OOXML spreadsheet metadata is concerned in that most of them can extract only limited and basic metadata.The objective of this research is to carry out forensic analysis of metadata in OOXML spreadsheets by studying limitations of existing forensic tools in extracting and analysing metadata in OOXML spreadsheets and designing and developing a Proof of Concept (PoC) implementation of a forensic tool that supports automated forensic analysis of OOXML spreadsheets with improved visualization, efficiency and advanced reporting functionality. This research adopts a methodology to review OOXML spreadsheet metadata extraction and analysis capabilities of existing forensic tools using sample spreadsheet datasets, carry out system analysis, design and PoC implementation of a forensic tool. In addition, the research carries out manual, functional, and security tests; quality assurance; and validation of the developed Proof of Concept implementation. The developed tool is able to extract and analyse relevant metadata from OOXML spreadsheets and present results in a forensic report

Fingerprinting a Organization Using Metadata of Public Documents

Paljud ettevõtted ja asutused kasutavad äritegevuseks Interneti, et muuta informatsioon enda pakutavate toodete ja teenuste kohta kättesaadavamaks. Tihtipeale need ettevõtted ja asutused jagavad oma veebilehel elektroonilisi dokumente (näiteks tabelid statistiliste andmetega, juhendid, näited ja õpetused, artiklid, blanketid ja muud dokumendid), mida peetakse vajalikuks jagada. Dokumendid, mis on veebilehtedel kõigile internetikasutajatele vabalt kättesaadavad, võivad sisaldada metaandmeid. Metaandmed on andmed, mis kirjeldavad teisi andmeid, ehk metaandmed kirjeldavad dokumendi sisu ja dokumendi üldiseid omadusi. Metaandmed on näiteks kasutajanimi, kes dokumendi koostas, salvestas, printis või redigeeris, kuid lisaks ka ajatemplid millal eelpool mainitud tegevusi tehti. Täiendavalt võib dokumentides olla informatsiooni arvutite ja infosüsteemide kohta, kus seda dokumenti töödeldi. Metaandmete lisamine dokumentidele toimub valdavalt automaatselt ning kui metaandmeid dokumendist eemaldatud pole, võib dokumendi metaandmetesse sattuda tundlikku informatsiooni kasutaja ja asutuse kohta. Metaandmete olemasolu dokumendis on paljude kasutajate jaoks teadmata ning nad ei ole teadlikud, et võivad potentsiaalselt lekitada informatsiooni asutuse või süsteemide kohta, kus dokumenti töödeldi. Seda informatsiooni on võimalik kasutada küberrünnakute läbiviimiseks või asutuse kaardistamiseks. See magistritöö uurib dokumentide metaandmeid, mis on ligipääsetavad Eesti riigiasutuste veebilehtedel ning mis on kõigile Internetikasutajatele vabalt kättesaadavad. Täpsemalt on vaatluse alla võetud kolme riigiasutuse veebilehel olevad dokumentide metaandmed, et välja selgitada, kas nendes peituvat informatsiooni on võimalik kasutada asutuse kaardistamiseks ja võimalike küberrünnakute teostamiseks. Selle täideviimiseks kasutati kahest etapist koosnevat meetodit. Esimene etapp tugines meetodite välja töötamisel, kuidas asutusi kaardistada, kasutades ainult dokumentide metaandmeid. Teine etapp kirjeldas esimeses etapis välja töötatud meetodi rakendamisel saadud tulemuste analüüsist ja järeldustest.Tehtud analüüsi tulemus näitas, et peaaegu kõik dokumendid sisaldavad metaandmeid, mida on võimalik ära kasutada ühel või teisel viisil asutuse kaardistamiseks või küberrünnakute läbiviimiseks. Magistritöös analüüsisime kokku 2643 dokumenti, millest 12-nel olid metaandmed eemaldatud. Ülejäänud dokumendid sisaldasid informatsiooni kilde, mis kirjeldavad keskkonda kus dokumente on töödeldud ja sisaldasid informatsiooni, mida on võimalik kasutada küberrünnakute läbiviimiseks. Lõputöö on kirjutatud inglise keeles ning sisaldab teksti 77 leheküljel, 6 peatükki, 41 joo-nist ja 26 tabelit.Many companies and organizations use Internet for their business activities to make infor-mation about their products and services more available for customers. Often those organi-zations and companies share electronic documents on their websites, such as manuals, whitepapers, guidelines, templates, and other documents which are considered as im-portant to share. Documents which are uploaded on organizations’ websites can contain extra information, such as metadata.Metadata is defined as data which describes other data. Metadata associated with docu-ments can contain information about names of authors, creators information, documents general properties, the name of the server, or path where the document was modi-fied. Metadata is added into documents mainly by automated process when document is created, and if documents’ metadata is not properly removed before sharing, it could con-tain sensitive information. Usually people are not aware about metadata existence in doc-uments and could unwillingly leak information about their organization or about them-selves. This information can be used for fingerprinting basis or conducting cyber attacks.In this thesis paper, electronic documents’ metadata which are shared on Estonian gov-ernmental organizations websites were analyzed. More specifically, three institutions’ pub-lic documents’ metadata were observed in order to identify metadata vulnerabilities that can be used for fingerprinting purposes. To achieve that, a fingerprinting method was de-veloped and utilized against observed websites. This thesis is divided into two different stages, where first stage describes the developed fingerprinting method, and second stage presents the outcomes of metadata analysis with the developed method.The results of the conducted research showed that almost all documents which were ana-lyzed contained information which could be used for fingerprinting purposes. We pro-cessed 2643 documents, where only 12 documents had metadata properly removed. All other documents contained pieces of information that describes environment where docu-ment was created and additionally exposed information that could be used for conducting cyber-attacks

Introductory Computer Forensics

INTERPOL (International Police) built cybercrime programs to keep up with emerging cyber threats, and aims to coordinate and assist international operations for ?ghting crimes involving computers. Although signi?cant international efforts are being made in dealing with cybercrime and cyber-terrorism, ?nding effective, cooperative, and collaborative ways to deal with complicated cases that span multiple jurisdictions has proven dif?cult in practic

Analysis of File Carving Approaches : A Literature Review

Home Advances in Cyber Security Conference paper Analysis of File Carving Approaches: A Literature Review Nor Ika Shahirah Ramli, Syifak Izhar Hisham & Gran Badshah Conference paper First Online: 01 January 2022 1262 Accesses 2 Citations Part of the Communications in Computer and Information Science book series (CCIS,volume 1487) Abstract Digital forensics is a crucial process of identifying, conserving, retrieving, evaluating, and documenting digital evidence obtained on computers and other electronic devices. Data restoration and analysis on file systems is one of digital forensic science’s most fundamental practices. There is a lot of research being done in developing file carving approaches and different researches focused on different aspects. With the increasing numbers of literature that are covering this research area, there is a need to review this literature for further reference. A review is carried out reviewing different works of literature covering various aspects of carving approaches from multiple digital data sources including IEEE Xplore, Google Scholar, Web of Science, etc. This analysis is done to consider several perspectives which are the current research direction of the file carving approach, the classification for the file carving approaches, and also the challenges are to be highlighted. Based on the analysis, we are able to state the current state of the art of file carving. We classify the carving approach into five classifications which are general carving, carving by specific file type, carving by structure, carving by the file system, and carving by fragmentation. We are also able to highlight several of the challenges for file carving mentioned in the past research. This study will serve as a reference for scientists to evaluate different strategies and obstacles for carving so that they may choose the suitable carving approaches for their study and also future developments

Evaluation of efficient XML interchange (EXI) for large datasets and as an alternative to binary JSON encodings

Current and emerging Navy information concepts, including network-centric warfare and Navy Tactical Cloud, presume high network throughput and interoperability. The Extensible Markup Language (XML) addresses the latter requirement, but its verbosity is problematic for afloat networks. JavaScript Object Notation (JSON) is an alternative to XML common in web applications and some non-relational databases. Compact, binary encodings exist for both formats. Efficient XML Interchange (EXI) is a standardized, binary encoding of XML. Binary JSON (BSON) and Compact Binary Object Representation (CBOR) are JSON-compatible encodings. This work evaluates EXI compaction against both encodings, and extends evaluations of EXI for datasets up to 4 gigabytes. Generally, a configuration of EXI exists that produces a more compact encoding than BSON or CBOR. Tests show EXI compacts structured, non-multimedia data in Microsoft Office files better than the default format. The Navy needs to immediately consider EXI for use in web, sensor, and office document applications to improve throughput over constrained networks. To maximize EXI benefits, future work needs to evaluate EXI’s parameters, as well as tune XML schema documents, on a case-by-case basis prior to EXI deployment. A suite of test examples and an evaluation framework also need to be developed to support this process.http://archive.org/details/evaluationofeffi1094545196Outstanding ThesisLieutenant, United States NavyApproved for public release; distribution is unlimited