Microsoft Compound File

Revision as of 12:27, 20 November 2014

Microsoft Compound File is a complex container format used by some versions of Microsoft Office, and other Microsoft applications. It has features similar to those of a filesystem format.

It is also known as Compound File Binary File Format (CFBF or CFB), Microsoft Compound Document File Format, OLE Compound Document Format, OLE2 Compound Document Format, etc.

The format was not publicly documented by Microsoft until 2008.

It is (or was?) inofficially known as LAOLA File Format.

Identification

Files begin with signature bytes D0 CF 11 E0 A1 B1 1A E1.

Specifications

• MSDN: Compound File Binary File Format → [MS-CFB] PDF
• OpenOffice.org's documentation

Programs, libraries, and utilities

• Structured Storage Viewer
• libolecf
• OleFileIO_PL - a Python module to read MS OLE2 files
• oledump.py beta
• officeparser

Links

• Wikipedia article
• Forensics Wiki article
• Joel on Software: Why are the Microsoft Office file formats so complicated?
• Some (older) reverse engineered information here and a Perl module here
• Malicious Office macros are not dead
• MS Office 97-2003 legacy/binary formats security - article with lots of resources on MS Office formats, including analysis techniques, tools and parsing libraries

Editors' notes

TODO: Explain the relationship between Compound File format and the format/technology called COM Structured Storage (or OLE Structured Storage).