SANS Digital Forensics and Incident Response Blog: Tag - Document Forensics

Making Reviewing Files From Data Carving Easier: Documents

This is my second installment on dealing with files recovered through the use of data carving tools. As I said in my previous post on data carving, that having to do corporate forensics, I end up having mountains of files to go through after running data carvers like Foremost/Scalpel or Photorec. Most of the programs out there either can't handle the amount of files or are very time consuming to work with. One of the worst ones to go through was document files. You know the


Extracting VB Macro Code from Malicious MS Office Documents

An incident responder or forensic investigator should be prepared to examine potentially-malicious document files, which may be located on the compromised system or discovered in email, web, or other network streams. After all, embedding malicious code into documents, such as Excel spreadsheets or Adobe Acrobat PDF files is quite effective at bypassing perimeter defenses. This note deals with one such scenario, focusing on how to extract Visual Basic (VB) macro code that may be embedded in malicious Microsoft Office files. I will discuss how to extract macros from both legacy binary Office files (.doc, .xls, .ppt), as well as modern XML-based Office formats that support macros (such as .docm, .xlsm, .pptm). As you'll see, OfficeMalScanner will be my tool of choice for getting the job