As always, interesting points you bring on!
Question: How can MS Office recover an altered, non saved file when it crashes if it's not writing to disk?
I don't use Adobe Reader, so I've nothing to add there.
It's nice talking to the man who examined the malware from the Ukraine and is a fellow countryman...
You also have to provide the password when you recover a file.
I was told that the autosave files for encrypted documents are also encrypted.
Since I don't want to write BS (niet uit mijn nek lullen ;-) ), I tested the following:
Windows 8.1 - Word 2016 - .doc file format
Created a new document, saved empty document with a password to read it.
Then typed some text and saved document.
Opened document with binary editor, search for the text I typed (in .doc it's stored as ASCII): did not find it (since it is encrypted).
Opened again with Word (typed password), typed some extra text, waited 10 minutes for autorecover file (C:\Users\testuser\AppData\Roaming\Microsoft\Word\AutoRecovery save of Doc1.asd) to be created, then killed Word with Process Explorer.
Looked at autosave file AutoRecovery save of Doc1.asd with binary editor and noticed it was also an encrypted .doc file.
Recovered file with Word and had to type password.
So I can confirm that (at least) in this test case, the autosave file is also encrypted.
Greets back from fellow countryman: met vriendelijke groeten
Edited by Didier Stevens, 08 January 2016 - 05:20 PM.
SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.
Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"