What remnants does ...
 
Notifications
Clear all

What remnants does Word leave on the local disk?  

  RSS
twospoonfuls
(@twospoonfuls)
New Member

To elaborate, I work for a health care company and am always concerned about HIPAA and privacy. If I am editing a Microsoft Word or Excel file from a flash drive on a public computer, and it's only ever saved to that flash drive, does anyone know what information Word or Excel might save to the hard drive, whether it's a temporary file, something in the virtual memory, etc.? Any insight would be most appreciated. Thank you all for your time.

Quote
Posted : 03/01/2017 8:55 pm
Passmark
(@passmark)
Active Member

There could be a lot of changes. Some examples,

Word's most recently used file list in the registry

Explorer's recent docs in the registry

LNK files in the roaming folder
C\Users\\AppData\Roaming\Microsoft\Office\Recent\.docx.LNK

IconCache files.

The list of USB drives used from the registry

Windows search index updates

Jump list data

Maybe changes to the \SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery registry entries.

Of course what is actually available will depend on the Operating system, how long ago the document was edited, the version of Word used, and several other factors. (for example if the machine was hibernated when the document was still open in Word).

ReplyQuote
Posted : 04/01/2017 4:06 am
randomaccess
(@randomaccess)
Active Member

I dont think the OP is talking specifically about the metadata

I think the temp files are still saved in the same directory as the original file, but if word crashes the temp/crashdump will probably be saved temporarily in the appdata or temp folder (cant remember off the top of my head).

Otherwise content could appear in the pagefile or hiberfil.

If you're really serious about not letting any data off the flash drive then only plug it into a computer you have control of.

ReplyQuote
Posted : 04/01/2017 3:38 pm
lcherne
(@lcherne)
New Member

I think the temp files are still saved in the same directory as the original file, but if word crashes the temp/crashdump will probably be saved temporarily in the appdata or temp folder (cant remember off the top of my head).
.

One other place to look for file content depending on the type of device you are plugging in; if you happen to be using a MTP device, check out the "WPDNSE" folder. Nicole Ibrahim has documented this on her blog and SANS presentation.

http//nicoleibrahim.com/part-6-usb-device-research-open-file-artifacts-lnk-files/

ReplyQuote
Posted : 04/01/2017 10:21 pm
randomaccess
(@randomaccess)
Active Member

One other place to look for file content depending on the type of device you are plugging in; if you happen to be using a MTP device, check out the "WPDNSE" folder. Nicole Ibrahim has documented this on her blog and SANS presentation.

http//nicoleibrahim.com/part-6-usb-device-research-open-file-artifacts-lnk-files/

True except if he's working off a usb drive it's unlikely that it'll be an MTP device

ReplyQuote
Posted : 05/01/2017 3:40 pm
Share: