SANS Digital Forensics and Incident Response Blog: Tag - openxml

Office 2007 Metadata

Metadata information from documents can be a great source of information for investigators and it's value has often been discussed before. Documents created using Microsoft Office often come up during investigations. There are several scripts and tools out there to read the proprietary binary format of Office documents created using Office 2003 and earlier versions so there is not more to add to those tools. Yet there aren't that many tools out there that can list the metadata information from the new format that Office 2007 uses, OpenXML. So I decided to examine it a bit further.

Microsoft has already published a good enough document describing the structure of OpenXML [1]. Essentially a document created in the OpenXML document format is a compressed file, using the well known ZIP