Microsoft office documents version and encryption algorythm

Sorry double post, see below.

jaclaz

i was wondering if there are tools or a way to determine the version used to produce a specific microsoft office document and identify the encryption used when a password is applied.

There is some info "embedded" in a .doc (but cannot say if it applies also to password protected ones)
http//www.msfn.org/board/topic/145723-how-to-identify-the-word-files-created-in-windows-or-mac-operating-sys/

jaclaz

Carvey's wmd.pl script will parse out which version created/saved the document.

I don't know about the encryption.

thank you very much for the help, i'm trying to run this script both on linux and windows but i'm experiencing some issues, probably dependencies missing.

Yes, dependencies can be a pain. Here is the webpage I used to install all the dependencies.

http//viaforensics.com/computer-forensics/howto-extract-metadata-microsoft-word-linux.html

I did this on Ubuntu 10.10.

thanks for your reply, ki've followed that howto but the package install OLEPropertySet doesn't seem to exist in CPAN, and when i execute the script, even by copying the MSWord.pm into PATH the script says it can't find it.

Rampage

Word 97 and 2000 documents do not have their metadata encrypted. Hence, you should be able to obtain the information regarding the version from the metadata of these documents.

XP and 2003 the encryption was fundamentally changed so the metadata was encrypted. However, in terms of the encryption used, by default the documents were saved to be backward compatible with 97. Hence, any such documents may be worth starting with (I am assuming you are trying to compile a golden database to ultimately target stronger encrypted items?).

You may find the following useful about XP and 2003 encryption http//support.microsoft.com/kb/290112

2007 and 2010 by default use AES 128bit with options to use 256bit.

Bear in mind, that the extension for 97-2003 is "doc" and from 2007 onwards this was changed to "docx". Of course a user could change this but it may be a good place to start in your analysis.

Kind regards

Sam

Rampage

Word 97 and 2000 documents do not have their metadata encrypted. Hence, you should be able to obtain the information regarding the version from the metadata of these documents.

XP and 2003 the encryption was fundamentally changed so the metadata was encrypted. However, in terms of the encryption used, by default the documents were saved to be backward compatible with 97. Hence, any such documents may be worth starting with (I am assuming you are trying to compile a golden database to ultimately target stronger encrypted items?).

You may find the following useful about XP and 2003 encryption http//support.microsoft.com/kb/290112

2007 and 2010 by default use AES 128bit with options to use 256bit.

Bear in mind, that the extension for 97-2003 is "doc" and from 2007 onwards this was changed to "docx". Of course a user could change this but it may be a good place to start in your analysis.

Kind regards

Sam

oh well no, i was just trying to make my write up a little bit scientific then ok i got the excel file let's see if i can break it ) i've already opened it in a metter of seconds couse the encryption was the crap one, but yet a couple of more informations on why would be a good complementary element.

thanks for your reply, ki've followed that howto but the package install OLEPropertySet doesn't seem to exist in CPAN, and when i execute the script, even by copying the MSWord.pm into PATH the script says it can't find it.

I think I had the same issue. I just ignored it and it still worked.

But that was a while ago, so don't take my word for it.