Taking advantages of a disadvantage: Digital forensics and steganography using document metadata

All the information contained in a plain-text document are visible to everybody. On the other hand, compound documents using opaque formats, like Microsoft Compound Document File Format, may contain undisclosed data such as authors name, organizational information of users involved, previously deleted text, machine related information, and much more. Those information could be exploited by third party for illegal purposes. Computer users are unaware of the problem and, even though the Internet offers several tools to clean hidden data from documents, they are not widespread. Furthermore, there is only one paper about this problem in scientific literature, but there is no detailed analysis. In this paper we fill the gap, analyzing the problem with its causes and then we show how to take advantage of this issue: we show how hidden data may be extracted to gain evidence in forensic environment where even a small piece of information may be relevant and we also introduce a new stegosystem especially designed for Microsoft Office documents. We developed FTA, a tool to improve forensic analysis of Microsoft Office documents, and StegOle, another tool that implements a new stegosystem for Microsoft Office documents. This is the first scientific paper to address the problem from both a steganographic and a forensic point of view. (c) 2006 Elsevier Inc. All rights reserved.