Abstract
Memory forensics plays a vital role in digital forensics. It provides important information about user’s activities on a digital device. Various techniques can be used to analyze the RAM and locate evidences in support for legal procedures against digital perpetrators in the court of law. This paper investigates digital evidences in relation to MS Word documents. Our approach utilizes the XML representation used internally by MS Office. Different documents are investigated. A memory dump is created while each of these documents is being viewed or edited and after the document is closed. Used documents are decompressed and the resulting folders and XML files are analyzed. Various unique parts of these extracted files are successfully located in the consequent RAM dumps. Results show that several portions of the MS Word document formats and textual data can be successfully located in RAM and these portions would prove that the document is/was viewed or edited by the perpetrator.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
McMillan, R. The collar Bomber’s explosive tech gaffe. http://www.pcworld.com/article/238353/article.html. Accessed October 28, 2016.
Johnson, D. The 8 most popular document formats on the web in 2015. http://duff-johnson.com/2015/02/12. Accessed October 28, 2016.
Al-Sharif, Z. A. Ms office forensics. https://sourceforge.net/p/ms-office-forensics/. Accessed January 2, 2017.
Al-Saleh, M. I., & Al-Sharif, Z. A. (2012). Utilizing data lifetime of tcp buffers in digital forensics: Empirical study. Digital Investigation, 9(2), 119–124
Al-Sharif, Z. A., Odeh, D. N., & Al-Saleh, M. I. (2015). Towards carving pdf files in the main memory. In The International Technology Management Conference (ITMC2015) (pp. 24–31). The Society of Digital Information and Wireless Communication.
Al-Sharif, Z. (2016). Utilizing program’s execution data for digital forensics. In The Third International Conference on Digital Security and Forensics (DigitalSec2016) (pp. 12–19). The Society of Digital Information and Wireless Communications (SDIWC).
Harichandran, V. S., Walnycky, D., Baggili, I., & Breitinger, F. (2016). Cufa: A more formal definition for digital forensic artifacts. Digital Investigation, 18, S125–S137.
Rafique, M., & Khan, M. (2013). Exploring static and live digital forensics: Methods, practices and tools. International Journal of Scientific and Engineering Research, 4(10), 1048–1056.
Dezfoli, F. N., Dehghantanha, A., Mahmoud, R., Sani, N. F. B. M., & Daryabar, F. (2013). Digital forensic trends and future. International Journal of Cyber-Security and Digital Forensics (IJCSDF), 2(2), 48–76.
Cai, L., Sha, J., & Qian, W. (2013). Study on forensic analysis of physical memory. In Proceedings of the 2nd International Symposium on Computer, Communication, Control and Automation (3CA 2013).
Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The art of memory forensics: Detecting malware and threats in Windows, Linux, and Mac memory. Indianapolis: Wiley.
Al-Saleh, M., & Al-Sharif, Z. (2013). Ram forensics against cyber crimes involving files. In The Second International Conference on Cyber Security, Cyber Peacefare and Digital Forensic (CyberSec2013) (pp. 189–197). The Society of Digital Information and Wireless Communication.
Shosha, A. F., Tobin, L., & Gladyshev, P. (2013). Digital forensic reconstruction of a program action. In Security and Privacy Workshops (SPW), 2013 IEEE (pp. 119–122). IEEE.
Petroni, N. L., Walters, A., Fraser, T., & Arbaugh, W. A. (2006). Fatkit: A framework for the extraction and analysis of digital forensic data from volatile system memory. Digital Investigation, 3(4), 197–210.
Chan, E., Wan, W., Chaugule, A., & Campbell, R. (2009). A framework for volatile memory forensics. In Proceedings of the 16th ACM Conference on Computer and Communications Security.
Olajide, F., Savage, N., Akmayeva, G., & Shoniregun, C. (2012). Identifying and finding forensic evidence on windows application. Journal of Internet Technology and Secured Transactions, ISSN, 2046–3723.
Stüttgen, J., Vömel, S., & Denzel, M. (2015). Acquisition and analysis of compromised firmware using memory forensics. Digital Investigation, 12, S50–S60.
Shashidhar, N. K., & Novak, D. (2015). Digital forensic analysis on prefetch files. International Journal of Information Security Science, 4(2), 39–49.
Simson, L., & Garfinkel, J. M. (2009). The new xml office document files: Implications for forensics. IEEE Security and Privacy, 7(2), 38–44.
Park, B., Park, J., & Lee, S. (2009). Data concealment and detection in microsoft office 2007 files. Digital Investigation, 5(3), 104–114.
Wolpers, M., Najjar, J., Verbert, K., & Duval, E. (2007). Tracking actual usage: the attention metadata approach. Educational Technology and Society, 10(3), 106–121.
Castiglione, A., De Santis, A., & Soriente, C. (2007). Taking advantages of a disadvantage: Digital forensics and steganography using document metadata. Journal of Systems and Software, 80(5), 750–764.
Acknowledgements
This research was supported in part by Jordan University of Science and Technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Al-Sharif, Z.A., Bagci, H., Zaitoun, T.A., Asad, A. (2018). Towards the Memory Forensics of MS Word Documents. In: Latifi, S. (eds) Information Technology - New Generations. Advances in Intelligent Systems and Computing, vol 558. Springer, Cham. https://doi.org/10.1007/978-3-319-54978-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-54978-1_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54977-4
Online ISBN: 978-3-319-54978-1
eBook Packages: EngineeringEngineering (R0)