Daily Blog #510: Office 2016 Backstage Artifacts

Office 2016 Backstage Artifacts by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
         New versions of software often bring new artifacts and Office 2016 is no exception. We were working an investigation when we found directory paths that no longer exist on the disk under a directory called:

 '\Users\\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\'

Underneath that directory you will find a series of directories for each of storage locations the user could save files for example:

  • My Computer
  • Onedrive Personal
  • Onedrive business
  • Sharepoint


This will match up to the view you will see when you open a file in Microsoft Office from the 'Backstage' view. Backstage is Microsoft's term for the interface where you can load recently accessed documents before picking a document and after loading Microsoft Office program.  Here is an example form my system:

by David Cowen - Hacking Exposed Computer Forensics Blog


In the above screenshot I started Microsoft Word, selected open other locations from the bottom and then clicked 'This PC'. It defaulted to my documents directory and then switched over to a newly mounted VHD drive.

On entering the directory from this interface I got a file created in the BackstageInAppNavCache\My Computer directory for the D drive that contained the full path, file name and modification date in Windows filetime format for all of the directories and files on my D drive separated between folders and files.

Here is the folder view:
by David Cowen - Hacking Exposed Computer Forensics Blog

The last element is the filetime timestamp in decimal format, converting it to hex and putting it into Dcode shows the following:
by David Cowen - Hacking Exposed Computer Forensics Blog

In addition there is a section for files as seen below:
by David Cowen - Hacking Exposed Computer Forensics Blog

What was interesting to me on the file section is that the GUI is only showing me the word file, but the cache file shows all files in this directory.

On my system this directory goes back a couple years worth of what was in every directory I've viewed while in this open interface.

One difference I have between my machines though is that one has these as text files, while the other is after the most recent Office update creating them as json files.

Go check yours and let me know what you find!

Also Read: Daily Blog #509

Post a Comment