Running a keyword search uncovers text that Autopsy attributes to a word specific document. Autopsy gives me a full path to the file. When I export the file and open it it is a blank document. When I look at the document in a hex editor the text does not appear inside the document.
Can someone explain to me what is happening here? I thought the text was from an autosave of the word document that should be viewable from a hex editor, but it is not. Is it possible that Autopsy is attributing the text incorrectly, or more likely am I ignorant of what exactly Autopsy is showing me?
Thanks,
Tim Lane
I suspect you are looking at a .docx formatted file (not all Microsoft Word files are created equal). These are compressed Zip files in form made up of several folders and files. Autopsy will decompress the files are part of the Archive ingest module, exposing the uncompressed content to the indexing engine and keyword searching.
The keyword may have been a formatting component of the document or document metadata and not page text. Therefore, you would not see the keyword on the page.
When you look at the original file in a hex editor, you are seeing the compressed Zip file and are unlikely to find the keyword. You could decompress the file with your favorite Zip tool, such as 7-zip, and search the components for your keyword to validate the Autopsy search result.
If this doesn’t address your question, please post screen shots and/or the original file, if possible.
John,
Thanks much - looking at through archive manager allowed me to see get the information I needed.
Tim