Date of Award:
12-2008
Document Type:
Thesis
Degree Name:
Master of Science (MS)
Department:
Computer Science
Committee Chair(s)
Robert F. Erbacher
Committee
Robert F. Erbacher
Committee
Scott Cannon
Committee
Stephen W. Clyde
Abstract
Common office documents provide significant opportunity for forensic and anti-forensic work. The Object Linking and Embedding 2 (OLE2) specification used primarily by Microsoft’s Office Suite contains unused or dead space regions that can be over written to hide covert channels of communication. This thesis describes a technique to detect those covert channels and also describes a different method of encoding that lowers the probability of detection.
The algorithm developed, called OleDetection, is based on the use of kurtosis and byte frequency distribution statistics to accurately identify OLE2 documents with covert channels. OleDetection is able to correctly identify 99.97 percent of documents with covert channel and only a false positive rate 0.65 percent.
The improved encoding scheme encodes the covert channel with patterns found in unmodified dead space regions. This anti-forensic technique allows the covert channel to masquerade as normal data, lowering the ability probability for any detection tool to is able to detect its presence.
Checksum
a73f5bdbae2c2d7dee2d810f7a09b230
Recommended Citation
Daniels, Jason M., "Forensic and Anti-Forensic Techniques for Object Linking and Embedding 2 (OLE2)-Formatted Documents" (2008). All Graduate Theses and Dissertations, Spring 1920 to Summer 2023. 141.
https://digitalcommons.usu.edu/etd/141
Included in
Copyright for this work is retained by the student. If you have any questions regarding the inclusion of this work in the Digital Commons, please email us at .