Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.6.1439

Study on History Tracking Technique of the Document File through RSID Analysis in MS Word  

Joun, Jihun (Institute of Cyber Security & Privacy (ICSP), Korea University)
Han, Jaehyeok (Institute of Cyber Security & Privacy (ICSP), Korea University)
Jung, Doowon (Institute of Cyber Security & Privacy (ICSP), Korea University)
Lee, Sangjin (Institute of Cyber Security & Privacy (ICSP), Korea University)
Abstract
Many electronic document files, including Microsoft Office Word (MS Word), have become a major issue in various legal disputes such as privacy, contract forgery, and trade secret leakage. The internal metadata of OOXML (Office Open XML) format, which is used since MS Word 2007, stores the unique Revision Identifier (RSID). The RSID is a distinct value assigned to a corresponding word, sentence, or paragraph that has been created/modified/deleted after a document is saved. Also, document history, such as addition/correction/deletion of contents or the order of creation, can be tracked using the RSID. In this paper, we propose a methodology to investigate discrimination between the original document and copy as well as possible document file leakage by utilizing the changes of the RSID according to the user's behavior.
Keywords
Revision Identifier; Document forensics; OOXML; MS Word;
Citations & Related Records
연도 인용수 순위
  • Reference
1 H. Langweg, "OOXML file analysis of the July 22nd terrorist manual," 13th International Conference on Communications and Multimedia Security, Sep. 2012.
2 S.L. Garfinkel and J.J. Migletz, "New XML-based files implications for forensics," IEEE Security and Privacy, vol. 7, no. 2, Mar-Apr. 2009.
3 H. Chung, J. Park, and S. Lee, "Forensic analysis of residual information in adobe PDF files," Communications in Computer and Information Science, vol. 185, 2011.
4 Y.M. Lee and S. Lee, "A Study for Forensic Methods of MS Excel Files," MS. Thesis, Korea University, 2015.
5 D. Jeong and S. Lee, "Study on the tracking revision history of MS Word files for forensic investigation," Digital Investigation, vol. 23, pp. 3-10, Dec. 2017.   DOI
6 B. Park, J. Park, and S. Lee, "Data concealment and detection in Microsoft Office 2007 files," Digital Investigation, vol. 5, no. 3-4, pp. 104-114, Mar. 2009.   DOI
7 Z. Fu, X. Sun, Y. Liu, and B. Li, "Forensic investigation of OOXML format documents," Digital Investigation, vol. 8, no. 1, pp. 48-55, Jul. 2011.   DOI
8 E. Didriksen, "Forensic analysis of OOXML documents," MS. Thesis, Gjovik University College, 2014.
9 ECMA, "ECMA-376-1:2016 Office Open XML file format - fondamentals and markup language reference," ECMA International Publication, Oct. 2016.