com.microsoft.offic...
 
Notifications
Clear all

com.microsoft.office.plist - help with "Access Date"

Chris_Ed
(@chris_ed)
Active Member

Hi,

I'm looking for evidence that a file has been opened on a Mac - it's a particular spreadsheet. I can find details of the file in "com.microsoft.office.plist", which seems to be a general settings file for office documents.

The plist is a binary plist, and the notable section I'm looking at is "14\File MRU\XCEL". Following this key is an array, which itself consists of a series of pairs of data - "Access Date" and "File Alias".

The "File Alias" key contains a bit of binary data, including the filename and file path of the relevant file I'm looking for. That bit is fine.

The part I'm having a problem with is the "Access Date". I have tried multiple routes and I can't figure out for the life of me how this date is represented. It is the following

000061BA82CA6BC5
So far I have tried converting it to a long, two ints, a double, a float - pretty much every possible option, both big-endian and little (it should be LE since the Mac is x86, but you never know). I've run it through numerous timestamp converters, and I just can't get a sensible date (it definitely doesn't seem to be Mac Absolute Time, or a standard unix timestamp).

I've searched Google, but with no help. I've even used the super-handy DFIR Custom Search and although the plist is mentioned, I can't find anything regarding translating the dates.

Any ideas?

P.s, the range of dates I'm looking for is between 2009 to 2012 - for reference.

Quote
Topic starter Posted : 31/07/2013 3:51 pm
jaclaz
(@jaclaz)
Community Legend

Something like this?
http//apple.stackexchange.com/questions/8207/how-does-office-2008-for-mac-store-its-recent-items

Maybe, just maybe
https://github.com/quicksilver/MicrosoftOffice-qsplugin/blob/master/Info.plist
http//www.apple.com/DTDs/PropertyList-1.0.dtd

It is ISO 8601, BUT BASE64 encoded? 😯

But it should be a "different" number/hex….

jaclaz

ReplyQuote
Posted : 31/07/2013 4:38 pm
Chris_Ed
(@chris_ed)
Active Member

Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date ?

ReplyQuote
Topic starter Posted : 31/07/2013 5:50 pm
jaclaz
(@jaclaz)
Community Legend

Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date ?

Wel, re-reading a few docs
https://en.wikipedia.org/wiki/Property_list#Mac_OS_X
http//web.archive.org/web/20090424003555/http//www.apple.com/applescript/features/propertylists.html

the data should be base64 encoded, the date should be "plain" ISO 8601, but
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/plist.5.html

it seems like the plist can be in an (I am citing)

opaque binary format

Would the mentioned plutil tool
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/plutil.1.html#//apple_ref/doc/man/1/plutil
do something useful?

jaclaz

ReplyQuote
Posted : 31/07/2013 10:53 pm
JDCoulthard
(@jdcoulthard)
Member

So far I am drawing blanks on the timestamp format, though you may want to check out my app called LISTView, which will view both binary and xml format plists without the need to convert between the different formats.

http//evigator.com/free-apps/

ReplyQuote
Posted : 01/08/2013 12:29 am
MissMari
(@missmari)
New Member

Hello,

I did some testing earlier this year for Office 2008 on Mac plist file. The timestamp was in HFS+ Little Endian, 32bit.

In this example the access date is listed as 00001c33 5ccdcd1c

Take 1c33 5ccd for your timestamp. I haven't figured out what the cd1c is.

Your date, 61BA82CA would be Tue, 30 August 2011 160345 UTC (using decode)

ReplyQuote
Posted : 01/08/2013 10:37 am
Chris_Ed
(@chris_ed)
Active Member

Aaaahhh - tremendous. I've checked it against the plist in question and in fact the dates I come up with correlate with the metadata of the file itself.

Huge thanks, Miss! You've relieved me of a huge headache. D

ReplyQuote
Topic starter Posted : 01/08/2013 1:33 pm
jaclaz
(@jaclaz)
Community Legend

Your date, 61BA82CA would be Tue, 30 August 2011 160345 UTC (using decode)

Can you expand on "using decode"?

As a side note, maybe useful, maybe not
http//www.icopybot.com/plist-editor.htm

jaclaz

ReplyQuote
Posted : 01/08/2013 5:33 pm
athulin
(@athulin)
Community Legend

Can you expand on "using decode"?

DCode ?

ReplyQuote
Posted : 01/08/2013 6:39 pm
MissMari
(@missmari)
New Member

Can you expand on "using decode"?

Ah yes, "decode", the french version of DCode 😉

http//www.digital-detective.co.uk/freetools/decode.asp

I used DCode from Digital Detective to convert the date using the HFS+ 32 Bit Little Endian option.

ReplyQuote
Posted : 01/08/2013 7:06 pm
jaclaz
(@jaclaz)
Community Legend

Ah yes, "decode", the french version of DCode 😉

http//www.digital-detective.co.uk/freetools/decode.asp

I used DCode from Digital Detective to convert the date using the HFS+ 32 Bit Little Endian option.

Thanks ) , then it is
http//sandersonforensics.com/forum/content.php?131-A-brief-history-of-time-stamps

HFS Plus timestamps represent the time in seconds since midnight Jan 1, 1904.

The leading 00's obviously allow for some time in the future, the appended two bytes remain "a mistery", right?

Or maybe are "fractions of seconds"? ?

jaclaz

ReplyQuote
Posted : 01/08/2013 7:21 pm
jahearne
(@jahearne)
Junior Member

Hello,

I did some testing earlier this year for Office 2008 on Mac plist file. The timestamp was in HFS+ Little Endian, 32bit.

In this example the access date is listed as 00001c33 5ccdcd1c

Take 1c33 5ccd for your timestamp. I haven't figured out what the cd1c is.

Your date, 61BA82CA would be Tue, 30 August 2011 160345 UTC (using decode)

Hate to dig up an old post, but this was relevant in a case I'm working on. So, I couldn't quite figure out how MissMari got that time stamp. My date stamp is 3AACBFD5. Little Endian = D5BFAC3A, converted to decimal = 3586108474, HFS+ Time Stamp Converter = Sunday, August 20, 2017 91434 PM

https://www.epochconverter.com/mac

Thanks!!!

ReplyQuote
Posted : 08/09/2017 7:08 pm
Share: