Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   D0 CF 11 E0 A1 B1 1A E1  00 00 00 00 00 00 00 00   ÐÏ à¡± á        
00000010   00 00 00 00 00 00 00 00  3E 00 03 00 FE FF 09 00           >   þÿ  
00000020   06 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00                   
00000030   4B 00 00 00 00 00 00 00  00 10 00 00 4D 00 00 00   K           M   
00000040   01 00 00 00 FE FF FF FF  00 00 00 00 4A 00 00 00       þÿÿÿ    J   
00000050   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

 

Introduction

Microsoft Compound File Binary (CFB) file format is also known as the Object Linking and Embedding (OLE) or Component Object Model (COM) structured storage compound file implementation binary file format.  CFB implements a simplified file system through a hierarchical collection of storage objects and stream objects.

The file format has been used for a number of differrent file formats such as:

  • Microsoft Word up to 2003
  • Microsoft Powerpoint up to 2003
  • Microsoft Excel up to 2003
  • Windows Thumbnail files
  • Windows Installer files
  • Windows Sticky Notes files
  • Windows Jump Lists
  • Internet Explorer Tab Session and Recovery Store files

Storage and Streams

A storage object is comparable to a file system directory in that just as a directory can contain other directories and files, a storage object can contain other storage objects and stream objects. A parent storage object can also track the locations and sizes of the child storage object and stream objects nested beneath it. A stream object is comparable to a file in that a stream contains user-defined data stored as a consecutive sequence of bytes. A compound file consists of the root storage object with optional child storage objects and stream objects in a nested hierarchy.

 

 

File Recovery

Our Blade® Intelli-Carve® profile understands the structure of the Compound File and can load the data directly from a stream. A verification process checks that the header contains valid data; if this verification process is successful, Blade® confirms that each stream can be successfully loaded. Once the data has been verified, we identify the file type by examining the streams. The file is then written out with the appropriate file extension.