TY - GEN
T1 - A tool for the detection of hidden data in microsoft compound document file format
AU - Kwon, Hyukdon
AU - Yeog, Kim
AU - Sangjin, Lee
AU - Jongin, Lim
PY - 2008
Y1 - 2008
N2 - For digital forensic investigators, files that use Microsoft Compound Document File Format (MCDFF) present a problem: It is easy to hide infonnation in MCDFF but hard to detect hidden data in them. Using an application downloaded from the internet and Win32 API (Application programming interface), it is possible for a criminal to hide information in MCDFF which might be important to an investigation. Prior to our research, no tool existed to detect data hidden in MCDFF, making analysis of MCDFF for investigations a difficult process. This paper presents an analysis of MCDFF features exploited in order to hide data and a tool ("DOCdetector") to detect hidden data using these exploits. Studying methods used to hide data in unused space and inserted Streams led us to develop DOCdetector tool to aid in the detection and examination of hidden data.
AB - For digital forensic investigators, files that use Microsoft Compound Document File Format (MCDFF) present a problem: It is easy to hide infonnation in MCDFF but hard to detect hidden data in them. Using an application downloaded from the internet and Win32 API (Application programming interface), it is possible for a criminal to hide information in MCDFF which might be important to an investigation. Prior to our research, no tool existed to detect data hidden in MCDFF, making analysis of MCDFF for investigations a difficult process. This paper presents an analysis of MCDFF features exploited in order to hide data and a tool ("DOCdetector") to detect hidden data using these exploits. Studying methods used to hide data in unused space and inserted Streams led us to develop DOCdetector tool to aid in the detection and examination of hidden data.
UR - http://www.scopus.com/inward/record.url?scp=48349100694&partnerID=8YFLogxK
U2 - 10.1109/ICISS.2008.19
DO - 10.1109/ICISS.2008.19
M3 - Conference contribution
AN - SCOPUS:48349100694
SN - 076953080X
SN - 9780769530802
T3 - Proceedings of the International Conference on Information Science and Security, ICISS 2008
SP - 141
EP - 146
BT - Proceedings of the International Conference on Information Science and Security, ICISS 2008
PB - IEEE Computer Society
T2 - International Conference on Information Science and Security, ICISS 2008
Y2 - 10 January 2008 through 12 January 2008
ER -