Forensic Analysis o...
 
Notifications
Clear all

Forensic Analysis of Microsoft Excel Files

5 Posts
3 Users
0 Likes
5,563 Views
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

Colleagues,

I have two specific Excel files for analysis.

Allegedly one of the Excel files is a derivative of the other Excel file.

Both Excel files are extremely complex, multi-tabbed with apparently embedded custom code.

** I would like to somehow extract and examine the embedded custom code much as one would do in a software code comparison case.

Any suggestions on where I could extract such custom code from each Excel to compare side by side?

I have Blacklight/Forensic Explorer/OSForensics tools at my disposal.

 
Posted : 30/01/2019 12:20 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I have two specific Excel files for analysis.

xls or xlsx? In the 2nd case, open the file with 7-Zip and the miracle begins. xls can be examined with Offvis for example (https://go.microsoft.com/fwlink/?LinkId=158791)

regards, Robin

 
Posted : 30/01/2019 8:37 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

For .xls files, or any OLE format files, consider

https://www.mitec.cz/ssv.html

..or..

https://blog.didierstevens.com/programs/oledump-py/

You can use either one to locate and extract the OLE streams that contain the code.

Something else you might consider is that any of the folder or directory objects within the OLE file will likely have time stamps associated with them…these might be helpful in determining the nature of the derivation.

 
Posted : 30/01/2019 11:18 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
Topic starter
 

THANKS!!!

 
Posted : 30/01/2019 2:43 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I used SSV yesterday to open an MSI file and extract a DLL from one of the streams…

 
Posted : 30/01/2019 3:26 pm
Share: