±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32771
New Yesterday: 9 Visitors: 156

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

com.microsoft.office.plist - help with "Access Date"

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

com.microsoft.office.plist - help with "Access Date"

Post Posted: Wed Jul 31, 2013 8:51 am

Hi,

I'm looking for evidence that a file has been opened on a Mac - it's a particular spreadsheet. I can find details of the file in "com.microsoft.office.plist", which seems to be a general settings file for office documents.

The plist is a binary plist, and the notable section I'm looking at is "14\File MRU\XCEL". Following this key is an array, which itself consists of a series of pairs of data - "Access Date" and "File Alias".

The "File Alias" key contains a bit of binary data, including the filename and file path of the relevant file I'm looking for. That bit is fine.

The part I'm having a problem with is the "Access Date". I have tried multiple routes and I can't figure out for the life of me how this date is represented. It is the following:

Code:
000061BA82CA6BC5

So far I have tried converting it to a long, two ints, a double, a float - pretty much every possible option, both big-endian and little (it should be LE since the Mac is x86, but you never know). I've run it through numerous timestamp converters, and I just can't get a sensible date (it definitely doesn't seem to be Mac Absolute Time, or a standard unix timestamp).

I've searched Google, but with no help. I've even used the super-handy DFIR Custom Search and although the plist is mentioned, I can't find anything regarding translating the dates.

Any ideas?

P.s, the range of dates I'm looking for is between 2009 to 2012 - for reference.  

Chris_Ed
Senior Member
 
 
  

Re: com.microsoft.office.plist - help with "Access Date"

Post Posted: Wed Jul 31, 2013 9:38 am

Something like this?
apple.stackexchange.co...cent-items

Maybe, just maybe:
github.com/quicksilver...Info.plist
www.apple.com/DTDs/Pro...st-1.0.dtd

It is ISO 8601, BUT BASE64 encoded? Shocked

But it should be a "different" number/hex....


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: com.microsoft.office.plist - help with "Access Date"

Post Posted: Wed Jul 31, 2013 10:50 am

Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date Confused  

Chris_Ed
Senior Member
 
 
  

Re: com.microsoft.office.plist - help with "Access Date"

Post Posted: Wed Jul 31, 2013 3:53 pm

- Chris_Ed
Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date Confused


Wel, re-reading a few docs:
en.wikipedia.org/wiki/...t#Mac_OS_X
web.archive.org/web/20...lists.html

the data should be base64 encoded, the date should be "plain" ISO 8601, but:
developer.apple.com/li...ist.5.html

it seems like the plist can be in an (I am citing):
opaque binary format


Would the mentioned plutil tool:
developer.apple.com/li...n/1/plutil
do something useful?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: com.microsoft.office.plist - help with "Access Date"

Post Posted: Wed Jul 31, 2013 5:29 pm

So far I am drawing blanks on the timestamp format, though you may want to check out my app called LISTView, which will view both binary and xml format plists without the need to convert between the different formats.

evigator.com/free-apps/  

JDCoulthard
Senior Member
 
 
  

Re: com.microsoft.office.plist - help with "Access Date"

Post Posted: Thu Aug 01, 2013 3:37 am

Hello,

I did some testing earlier this year for Office 2008 on Mac plist file. The timestamp was in HFS+ Little Endian, 32bit.

In this example the access date is listed as 00001c33 5ccdcd1c

Take 1c33 5ccd for your timestamp. I haven't figured out what the cd1c is.




Your date, 61BA82CA would be Tue, 30 August 2011 16:03:45 UTC (using decode)  

MissMari
Member
 
 
  

Re: com.microsoft.office.plist - help with "Access Date"

Post Posted: Thu Aug 01, 2013 6:33 am

Aaaahhh - tremendous. I've checked it against the plist in question and in fact the dates I come up with correlate with the metadata of the file itself.

Huge thanks, Miss! You've relieved me of a huge headache. Very Happy  

Chris_Ed
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next