View Issue Details

IDProjectCategoryView StatusLast Update
0002096libextractorpluginspublic2012-01-26 20:37
ReporterChristian Grothoff Assigned To 
Status newResolutionopen 
Product VersionGit master 
Summary0002096: extract user name from file protection records in MS office formats
DescriptionSection 4.19 says something about a user name for write access in Excel documents (see attached file). This would be something useful to extract (as well as the rest of the access permission information).
TagsNo tags attached.
Attached Files
excelfileformat.pdf (1,196,627 bytes)


Christian Grothoff

2012-01-21 18:28

manager   ~0005331

Christian Grothoff

2012-01-21 19:34

manager   ~0005332

Last edited: 2012-01-21 19:39

Also of interest are the OLE Property sets (in [MS-OSHARED].pdf in the zip file from the page linked above). We might be getting some of those already, couldn't hurt to double-check though. The following subsections (up to are also interesting. PropertySetSystemIdentifier might also give a bit of information (OS).

Christian Grothoff

2012-01-21 19:42

manager   ~0005333

Last edited: 2012-01-21 19:45

I wonder if the applicationCIsid in the DocumentSummaryInfoStream (page 146 in the above-mentioned document) is really always all-zeros, or if there is a unique identifier for the Office installation in there. We should check...

This page
would seem to give a way to find the CISID of locally installed apps. Given that bit pattern, we could then just check if a file created on the system contains the pattern at all (this might depend on the specific Office version, maybe only older versions used this?).

Issue History

Date Modified Username Field Change
2012-01-21 17:57 Christian Grothoff New Issue
2012-01-21 17:57 Christian Grothoff File Added: excelfileformat.pdf
2012-01-21 18:28 Christian Grothoff Note Added: 0005331
2012-01-21 19:34 Christian Grothoff Note Added: 0005332
2012-01-21 19:37 Christian Grothoff Note Edited: 0005332
2012-01-21 19:39 Christian Grothoff Note Edited: 0005332
2012-01-21 19:42 Christian Grothoff Note Added: 0005333
2012-01-21 19:45 Christian Grothoff Note Edited: 0005333
2012-01-26 20:37 Christian Grothoff Severity block => feature