Typing up a report tonight and i realized I had been adding a number of exceptions to my custom Microsoft Word dictionary (‘Add to Dictionary’) . Thinking about this as an attack technique, i realized there’s a whole lot of information leakage in this text file. The (abbreviated) list below may not mean a whole lot to the casual observer, but contained within are a topics that are directly correlated with the work I do.
Are you forensics guys catching this? You can find the Microsoft Word custom dictionary here: C:\documents and settings\[username]\application data\microsoft\UProof\custom.dic and the corresponding Vista+ path under \Users.
I did a quick search for a database of files that might be of interest in a forensics investigation. Nothing came up. Anybody know of a list of such files? Depending on the use of the machine under investigation and the software installed, this would certainly change. It may be sufficient to grab just the \documents and settings or \users directory, but a list of database of files relevant in most forensics investigations would be useful.
ps. i was able to locate the custom.dic using filemon. didn’t realize you could exclude processes from the list. this makes it significantly easier to find what you’re searching for…