Join Us!

Forensic Analysis o...
 
Notifications
Clear all

Forensic Analysis of Microsoft Excel Files  

  RSS
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Colleagues,

I have two specific Excel files for analysis.

Allegedly one of the Excel files is a derivative of the other Excel file.

Both Excel files are extremely complex, multi-tabbed with apparently embedded custom code.

** I would like to somehow extract and examine the embedded custom code much as one would do in a software code comparison case.

Any suggestions on where I could extract such custom code from each Excel to compare side by side?

I have Blacklight/Forensic Explorer/OSForensics tools at my disposal.

Quote
Posted : 30/01/2019 12:20 am
Bunnysniper
(@bunnysniper)
Active Member

I have two specific Excel files for analysis.

xls or xlsx? In the 2nd case, open the file with 7-Zip and the miracle begins. xls can be examined with Offvis for example (https://go.microsoft.com/fwlink/?LinkId=158791)

regards, Robin

ReplyQuote
Posted : 30/01/2019 8:37 am
keydet89
(@keydet89)
Community Legend

For .xls files, or any OLE format files, consider

https://www.mitec.cz/ssv.html

..or..

https://blog.didierstevens.com/programs/oledump-py/

You can use either one to locate and extract the OLE streams that contain the code.

Something else you might consider is that any of the folder or directory objects within the OLE file will likely have time stamps associated with them…these might be helpful in determining the nature of the derivation.

ReplyQuote
Posted : 30/01/2019 11:18 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

THANKS!!!

ReplyQuote
Posted : 30/01/2019 2:43 pm
keydet89
(@keydet89)
Community Legend

I used SSV yesterday to open an MSI file and extract a DLL from one of the streams…

ReplyQuote
Posted : 30/01/2019 3:26 pm
Share: