Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API
Short Description: OOXML 'document' file parser has been updated to detect and extract "Drawing Object Non-Visual Properties".
Example: https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e
Outstanding Tasks: None
Detailed Summary
"Drawing Object Non-Visual Properties(docPr) element specifies non-visual object properties for the parent DrawingML object. These properties are specified as child elements of 'docPr' element." - ECMA-376 Part 1 (section 20.4.2.5)
OOXML 'document' file parser has been updated to extract non-visual object properties associated with inline drawing objects(pictures). The extracted data will be displayed in the corresponding 'document' panel under 'Individual Components' section on the report page. The following properties will be considered:
- descr - Specifies alternative text for the current DrawingML object, for use by assistive technologies or applications which do not display the current object.
- hidden - Specifies whether this DrawingML object is displayed. When a DrawingML object is displayed within a document, that object can be hidden (i.e., present, but not visible).
- name - Specifies the name of the object. Typically, this is used to store the original file name of a picture object.
- title - Specifies the title (caption) of the current DrawingML object.
Some of the above properties might be omitted from the property set. IRIS-H will only extract and display properties present in the set. See below for an example:
 |
| 'document' panel showing non-visual object properties extracted from inline drawing object |
As seen in the screenshot above, these properties might contain digital artifacts that can be helpful in a digital forensics investigation.
Full report for the example above can be found here - https://iris-h.malwageddon.com/report/380710e90e15242de982aede9a62c66e
No comments:
Post a Comment