Thursday, November 1, 2018

Daily Blog #525: Office 2016 Backstage artifact parser

Hello Reader,
            One of the things I love the most is collaboration within the DFIR world. Today I'm happy to link to Brian Gerdon's (of Arsenal Recon) implementation of the Office 2016 backstage artifact into a python parser so you don't have to just stare at a bunch of text files or json files. You can find it here:

https://github.com/ArsenalRecon/BackstageParser

There is no better way to learn the details of an artifact that code to a parser for it and learn all the structures and nuances. So if you see something you think is interesting don't feel that you shouldn't try to write a parser for it just because one already exists, the learning experience alone will be worth your effort.