±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 226

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Excel hashing

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

RABIDFOX
Newbie
 

Excel hashing

Post Posted: Dec 01, 18 01:32

So i did some hash test files in excel. I made 4: one was an exact copy same hash, one I renamed in windows also same hash value and one i renamed using the save as feature and it displayed a different hash value. So I was wondering if anyone can explain why this has happened?  
 
  

tracedf
Senior Member
 

Re: Excel hashing

Post Posted: Dec 01, 18 03:31

If you opened the file in Excel and chose "save as", the metadata was probably was updated. Even if the change was not visible to you, something changed.  
 
  

athulin
Senior Member
 

Re: Excel hashing

Post Posted: Dec 01, 18 06:40

- RABIDFOX
So i did some hash test files in excel. I made 4: one was an exact copy same hash, one I renamed in windows also same hash value and one i renamed using the save as feature and it displayed a different hash value. So I was wondering if anyone can explain why this has happened?


The best way to figure that out is, usually, to compare the files, byte by byte. Easiest way is probably to do

C:\Users\Whoever> COMP book1.xlsx book2.xlsx

and examine the output. You'll get a list of places where the two files differ. If they do ... hashes will differ as well, of course.

As xlsx files are zip archives, you can unpack them, and compare the contents. Or, open both in 7zip and check the CRC column. I expect that only the docProps folders will show different CRC data. If you want to find exactly where the difference is located, just go on from there.  
 
  

randomaccess
Senior Member
 

Re: Excel hashing

Post Posted: Dec 01, 18 11:30

Athulin, the second way you suggested is probably going to yield more useful results. As you pointed out, the xlsx format is a zip, so I think the first one might show that they're different, but the data will still be compressed.

If you unzipped both documents and then hashed the individual components youd probably see the difference quickly; my guess is internal metadata stored in docprops is what's changed (which was also suggested by athulin)  
 
  

athulin
Senior Member
 

Re: Excel hashing

Post Posted: Dec 01, 18 19:04

- randomaccess
Athulin, the second way you suggested is probably going to yield more useful results. As you pointed out, the xlsx format is a zip, so I think the first one might show that they're different, but the data will still be compressed.


It may yield results, but in this particular case, I think the only useful result is if the OP begins to understand what's going on.  
 
  

RABIDFOX
Newbie
 

Re: Excel hashing

Post Posted: Dec 01, 18 20:32

forgot you could extract them so the two files within excel that had changed were core.xml and workbook.xml.
in core the meta-data is physically stored so modified time affect that and in workbook there is a unique document ID that changes.
thanks for the help guys  
 
  

randomaccess
Senior Member
 

Re: Excel hashing

Post Posted: Dec 02, 18 07:20

- athulin
It may yield results, but in this particular case, I think the only useful result is if the OP begins to understand what's going on.


looks like that's happened

Good work OP, digging into the weeds of the file format is always a good place to start when trying to understand how this whole crazy world fits together  
 

Page 1 of 1