Hi,
I'm looking for evidence that a file has been opened on a Mac - it's a particular spreadsheet. I can find details of the file in "com.microsoft.office.plist", which seems to be a general settings file for office documents.
The plist is a binary plist, and the notable section I'm looking at is "14\File MRU\XCEL". Following this key is an array, which itself consists of a series of pairs of data - "Access Date" and "File Alias".
The "File Alias" key contains a bit of binary data, including the filename and file path of the relevant file I'm looking for. That bit is fine.
The part I'm having a problem with is the "Access Date". I have tried multiple routes and I can't figure out for the life of me how this date is represented. It is the following
000061BA82CA6BC5
So far I have tried converting it to a long, two ints, a double, a float - pretty much every possible option, both big-endian and little (it should be LE since the Mac is x86, but you never know). I've run it through numerous timestamp converters, and I just can't get a sensible date (it definitely doesn't seem to be Mac Absolute Time, or a standard unix timestamp).
I've searched Google, but with no help. I've even used the super-handy
Any ideas?
P.s, the range of dates I'm looking for is between 2009 to 2012 - for reference.
Something like this?
http//
Maybe, just maybe
https://
http//
It is ISO 8601, BUT BASE64 encoded? 😯
But it should be a "different" number/hex….
jaclaz
Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date ?
Yep - that's the one. Plist editors do recover binary data as b64 encoded strings - in my example above, most plist editors show the value as "AABhuoLKa8U=". But I'm still stuck as to how to convert this into a meaningful date ?
Wel, re-reading a few docs
https://
http//
the data should be base64 encoded, the date should be "plain" ISO 8601, but
https://
it seems like the plist can be in an (I am citing)
opaque binary format
Would the mentioned plutil tool
https://
do something useful?
jaclaz
So far I am drawing blanks on the timestamp format, though you may want to check out my app called LISTView, which will view both binary and xml format plists without the need to convert between the different formats.
http//
Hello,
I did some testing earlier this year for Office 2008 on Mac plist file. The timestamp was in HFS+ Little Endian, 32bit.
In this example the access date is listed as 00001c33 5ccdcd1c
Take 1c33 5ccd for your timestamp. I haven't figured out what the cd1c is.
Your date, 61BA82CA would be Tue, 30 August 2011 160345 UTC (using decode)
Aaaahhh - tremendous. I've checked it against the plist in question and in fact the dates I come up with correlate with the metadata of the file itself.
Huge thanks, Miss! You've relieved me of a huge headache. D
Your date, 61BA82CA would be Tue, 30 August 2011 160345 UTC (using decode)
Can you expand on "using decode"?
As a side note, maybe useful, maybe not
http//
jaclaz
Can you expand on "using decode"?
DCode ?
Can you expand on "using decode"?
Ah yes, "decode", the french version of DCode 😉
http//
I used DCode from Digital Detective to convert the date using the HFS+ 32 Bit Little Endian option.