It was an interesting concept and a welcomed addition to Office 2007 that we were able to edit images right in the Word document itself. So, what happens to the original image that we cropped? We know that older version of Office was keeping tracked changes even after tracking was turned off, so leaving something intact is not a new concept to Microsoft.
So, what happens when you add an image add crop it. Let me show you.
Here, I added an image to a Word document. Nothing special here.
So, now I cropped a portion of the image where the CNSS logo is not showing anymore. So, if I open this document, I will only see CSEC from now on. So, what happens behind the scene?
Looking at the Word document in Hex viewer, we can see that a Word document .docx is just a ZIP file with standard signature PK.
Therefore, we can just simply change the file extension to .zip and extract its contents. It seems the media additions to a word document is stored in word\media folder. It is also interesting to see the time stamp associated with this image. IT is even more interesting that some tools like FTK Imager shows this time stamp as 1/1/1980 instead of 12/29/1899.
Never the less, if we open the image, we can see that it is the original full sized image.
Just to show what it looks like in the $MFT record, the time stamp ( Green ) is the actual time stamp when the zip file was extracted, but the ( Yellow ) time stamp is the seemingly a default time since I have not seen other time stamp, but this value in all documents.
Conclusion
It might be important to filter for DOCX files and extract the media from them to see if anyone manipulated and cropped portions of the images. On the other hand, since word documents are zip archives, some forensic tools report them as wrong file types while there is nothing wrong with them. In any case, if an investigator mounts the file structure of these files, the full image will show up in the Gallery view and the investigator might believe the user actually must have seen the full image while it is possible that only a portion of the image was visible to the user. So, keep this in mind in your investigations.
No comments:
Post a Comment