com.microsoft.offic...
 
Notifications
Clear all

com.microsoft.office.plist - help with "Access Date"

12 Posts
6 Users
0 Likes
1,394 Views
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
Topic starter
 

Hi,

I'm looking for evidence that a file has been opened on a Mac - it's a particular spreadsheet. I can find details of the file in "com.microsoft.office.plist", which seems to be a general settings file for office documents.

The plist is a binary plist, and the notable section I'm looking at is "14\File MRU\XCEL". Following this key is an array, which itself consists of a series of pairs of data - "Access Date" and "File Alias".

The "File Alias" key contains a bit of binary data, including the filename and file path of the relevant file I'm looking for. That bit is fine.

The part I'm having a problem with is the "Access Date". I have tried multiple routes and I can't figure out for the life of me how this date is represented. It is the following

000061BA82CA6BC5
So far I have tried converting it to a long, two ints, a double, a float - pretty much every possible option, both big-endian and little (it should be LE since the Mac is x86, but you never know). I've run it through numerous timestamp converters, and I just can't get a sensible date (it definitely doesn't seem to be Mac Absolute Time, or a standard unix timestamp).

I've searched Google, but with no help. I've even used the super-handy DFIR Custom Search and although the plist is mentioned, I can't find anything regarding translating the dates.

Any ideas?

P.s, the range of dates I'm looking for is between 2009 to 2012 - for reference.

 
Posted : 31/07/2013 2:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Something like this?
http//apple.stackexchange.com/questions/8207/how-does-office-2008-for-mac-store-its-recent-items

Maybe, just maybe
https://github.com/quicksilver/MicrosoftOffice-qsplugin/blob/master/Info.plist
http//www.apple.com/DTDs/PropertyList-1.0.dtd

It is ISO 8601, BUT BASE64 encoded? 😯

But it should be a "different" number/hex….

jaclaz

 
Posted : 31/07/2013 3:38 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
Topic starter
 

Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date ?

 
Posted : 31/07/2013 4:50 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date ?

Wel, re-reading a few docs
https://en.wikipedia.org/wiki/Property_list#Mac_OS_X
http//web.archive.org/web/20090424003555/http//www.apple.com/applescript/features/propertylists.html

the data should be base64 encoded, the date should be "plain" ISO 8601, but
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/plist.5.html

it seems like the plist can be in an (I am citing)

opaque binary format

Would the mentioned plutil tool
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/plutil.1.html#//apple_ref/doc/man/1/plutil
do something useful?

jaclaz

 
Posted : 31/07/2013 9:53 pm
(@jdcoulthard)
Posts: 98
Trusted Member
 

So far I am drawing blanks on the timestamp format, though you may want to check out my app called LISTView, which will view both binary and xml format plists without the need to convert between the different formats.

http//evigator.com/free-apps/

 
Posted : 31/07/2013 11:29 pm
(@missmari)
Posts: 15
Active Member
 

Hello,

I did some testing earlier this year for Office 2008 on Mac plist file. The timestamp was in HFS+ Little Endian, 32bit.

In this example the access date is listed as 00001c33 5ccdcd1c

Take 1c33 5ccd for your timestamp. I haven't figured out what the cd1c is.

Your date, 61BA82CA would be Tue, 30 August 2011 160345 UTC (using decode)

 
Posted : 01/08/2013 9:37 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
Topic starter
 

Aaaahhh - tremendous. I've checked it against the plist in question and in fact the dates I come up with correlate with the metadata of the file itself.

Huge thanks, Miss! You've relieved me of a huge headache. D

 
Posted : 01/08/2013 12:33 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Your date, 61BA82CA would be Tue, 30 August 2011 160345 UTC (using decode)

Can you expand on "using decode"?

As a side note, maybe useful, maybe not
http//www.icopybot.com/plist-editor.htm

jaclaz

 
Posted : 01/08/2013 4:33 pm
(@athulin)
Posts: 1156
Noble Member
 

Can you expand on "using decode"?

DCode ?

 
Posted : 01/08/2013 5:39 pm
(@missmari)
Posts: 15
Active Member
 

Can you expand on "using decode"?

Ah yes, "decode", the french version of DCode 😉

http//www.digital-detective.co.uk/freetools/decode.asp

I used DCode from Digital Detective to convert the date using the HFS+ 32 Bit Little Endian option.

 
Posted : 01/08/2013 6:06 pm
Page 1 / 2
Share: