摘要
目的电子文档易复制、易修改的特性使得文档编辑行为的分析成为电子数据取证的难点与焦点。传统的数据恢复和数据搜索无法实现重要信息的提取,由此尝试通过文件结构的分析挖掘曾经有过的编辑行为。方法结合Microsoft Office的OOXML文件格式,对Power Point2010文档中与文档来源及编辑过程相关的特征属性进行挖掘,着重分析creation ID、revision、幻灯片ID及多媒体ID随编辑操作的变化规律。结果实现了Office Power Point 2010文档的溯源分析与多媒体编辑过程重现,并通过自主研发的软件使分析工作智能化、工具化。结论基于复合文件格式可以实现Office 2003文档编辑过程恢复,基于OOXML格式不仅可以实现Office 2010文档编辑过程恢复,还可以实现文档溯源分析。
Objective Electronic documents are easy to copy and modify, so the analysis of document editing behavior becomes the difficulty and focus of electronic data forensics. Traditional data recovery and data search methods can't achieve the extraction of important information, so this study attempts to analyze the editing behavior through the analysis of document structure. Method Combined with the OOXML file format of Microsoft Office, attributes related to document sources and editing processes in Power Point 2010 documents were studied. The change rules of creation ID, revision, slide ID and multimedia ID with edit operation were analyzed emphatically. Result The traceability analysis of Office Power Point2010 document and the process of multimedia editing were realized. The analysis was made intelligent and tool oriented with the independent research and developed software. Conclusion Based on the compound file format, the Office 2003 document editing process can be restored. Based on the OOXML format, not only can the Office 2010 document editing process be restored, but also the document traceability analysis can be realized.
出处
《中国司法鉴定》
2017年第5期52-57,共6页
Chinese Journal of Forensic Sciences
基金
公安部技术研究计划项目(2015JSYJC04)
辽宁省教育厅科研项目
