Binary Analysis of Microsoft Documents


This course introduces a forensically sound method of deconstructing Microsoft Files that use the OLE2 structure.

Structure and content

Duration: 1 week Full Time

Examination: Practical 2 hours

This course delivers a step-by-step walk through of the methods used to extract data, much of which is unavailable using any software solution. Internal times and dates, Authors, Users, edits and “hidden” text are all there to be recovered using the internal pointers and known structures. Methods of detecting compromised or false documents are discussed and demonstrated, and reconstruction of damaged documents or spreadsheets is practically experienced. Use of methods to recover temporary word files together with timed edits/additions from Volume Shadow Copy is also demonstrated. 

Who the course is for

This course is for practitioners, and applicants should normally be employed by, and sponsored by law enforcement or associated agencies, or a reputable organisation involved in the forensic computing domain.

Recommended prior knowledge

For new or inexperienced analysts, it is strongly recommended that Foundations of Forensic Computing is completed before other courses are attempted.

Accredited Prior Learning (APL) may be awarded for previous relevant studies. Individual guidance will be provided with respect to assessing APL.

What you will achieve

This course is designed to address the need for continuing professional development and career progression within a rapidly changing environment.

With this course students will be awarded 10 credits. Students can then build more credits through successful completion of related courses and assessments, which may lead to a PG Cert Higher Education award.


This course is taught exclusively by Professor Tony Sammes.

With well over 1,000 forensic examinations, and 14 years of experience in teaching forensic computing, courses offered by Tony are highly specialist with a blend of highly practical hands-on experience, combined with rigorous theoretical and academic training.


Course delivery is a combination of practical hands-on experience, combined with rigorous theoretical and academic training.


The course is delivered in the Forensic Laboratory at De Montfort University, in Leicester City Centre.

The laboratory is new, and has been purpose built with “super fast” machines, wide screen monitors, and an array of top-of-the range display systems. The Lab is situated within a security controlled area of the Cyber Security Centre, and is a very pleasant place to work.





Places to stay

There are numerous hotels within easy walking distance (5-10 minutes) of De Montfort University (DMU) offering different grades of accommodation. Most will offer Government and Law Enforcement or DMU rates. A number are on the edge of the Town Centre and either have their own car parks, or have arrangements in place for discounted parking nearby.

Contact us

Sue Williamson
Faculty of Technology
Gateway House 4.64
De Montfort University
The Gateway

T: +44 (0)116 250 6339



 Security Banner with Computer Coding
Events target area image

At DMU there is always something to do or see, check out our events for yourself.

News target area image

DMU is a dynamic university, read about what we have been up to in our latest news section.

Mission and vision target area image
Mission and vision

Read about our mission and vision and how these create a supportive and exciting learning environment.