The tools so far:
- Use the zip's Extra Field to hide data. This toolsuite will inject data in many ways, and supports compression, encryption, fragmentation and timestamp manipulation. The extracter tool will autodetect such hidden content and optionally decrypt the data by a specified key. Of course, no error messages are shown when opening such documents in Office (Word, Excel, Powerpoint..), or OpenOffice... Even more interesting is it to notice that digitally signed documents still appear genuine, after manipulations. Follow the referenced thread at bottom to read more details about this toolsuit. This method seems to work with most zip based stuff, and are not limited to ooXML solutions. Download; http://reboot.pro/fi...-steganography/
- Use the signature of signed documents to hide the data. This method is taking advantage of the fact that the way MS Office have implemented their signing scheme is limited by what document content is actually protected. This method is different to method 1, in that it is not the zip specification that is (ab)used, but the ooXML specification and MS Office's implementation of it. This toolsuit will compress and encode the data before injecting it into the signature file. By following the referenced thread at forensicfocus, you notice more ways to manipulate signed documents like in this method. This method is untested on documents not signed by MS Office. But I suspect it will also work for OpenOffice etc, since the method is in accordance with the ooXML specification. Seriously, the way I see it, at least MS Office's implementation seems flawed, because document metadata (for example) can be changed without invalidating the signature. Download; http://reboot.pro/fi...gnaturetweaker/
- Make an encrypted docx (Word document) invisible. This method really uses a flaw in Word (yes I can't imagine anything but a flaw!). By some manipulation of the file header, Word will decrypt and open an empty document, keeping the original document hidden. Also described in detail in the referenced thread. Download tool; http://reboot.pro/fi...ypteddocxhider/ For the fun, you can also download an encrypted test document; http://www.mediafire...4xsp2fw24alhxp7 Verify the empty document by using the decryption key "joakim". Then use the tool to repatch the header, and verify that a non-empty document now became visible. Will require Office (Word) 2007 or 2010 though. Excel and Powerpoint seems not affected by this flaw.
If you have other interesting tricks in the same category, then let me know.
Related and interesting reading on the subject;
http://en.wikipedia....ip_(file_format)
https://ir.library.d...ay_Muhammad.pdf
http://www.irongeek....anography-intro
http://www.ecma-inte...ds/Ecma-376.htm
http://www.renownedm...-word-document/
http://www.reversing...s/NyxEngine.php
My original thread; http://www.forensicf...iewtopic&t=7918
@Nuno
I will also attach the files in the download section shortly. Edit: Now done.