Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Word Document (DOC)
The Word Document (DOC) file format has the .doc extension. This file type originates from Microsoft Word. However, other word processing software can be used to display these files as well. These include:
The Word DOC file format should not be confused with DOCX.
The object stream of the OLECF containing a Word document contains the string "Word.Document" with some version.
Word 97-2003 documents
The Word Binary File format is stored in the OLECF using multiple streams:
- WordDocument stream
- Table stream (0Table, 1Table)
- Data stream
Versions 97/2000 encrypt documents with a very weak algorithm. This password scheme can be broken easily by several different products and it is possible to decrypt the contents without discovering the password. This is done by testing all 1,099,511,627,776 possible keys. Ultimate Zip Cracker by VDGSoftware is one utility that can perform this decryption.
On a unix-like machine try this command to extract strings from a .doc file:
cat /tmp/test.doc | tr -d \\0 | strings | more
(where /tmp/test.doc is the path to your .doc file)
Note that a Word 97 and later document can contain both extended ASCII with codepage 1252 (codepage 1252 compressed text) and UTF-16 little-endian text. Word document can also contain 'East Asian' or 'Complex script' languages. Also the text stream contains information about all the parts of the Word document (header/footer, foot/endnote, annotation, etc.) Therefore using basic Unix string is very rough approach of finding data in a Word document. Use the wvtools or more sophisticated tools instead.