±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35251
New Yesterday: 4 Visitors: 142

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Forensic Analysis of Microsoft Excel Files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

UnallocatedClusters
Senior Member
 

Forensic Analysis of Microsoft Excel Files

Post Posted: Jan 29, 19 18:20

Colleagues,

I have two specific Excel files for analysis.

Allegedly one of the Excel files is a derivative of the other Excel file.

Both Excel files are extremely complex, multi-tabbed with apparently embedded custom code.

** I would like to somehow extract and examine the embedded custom code much as one would do in a software code comparison case.

Any suggestions on where I could extract such custom code from each Excel to compare side by side?

I have Blacklight/Forensic Explorer/OSForensics tools at my disposal.
_________________
__̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡̡.__ 
 
  

Bunnysniper
Senior Member
 

Re: Forensic Analysis of Microsoft Excel Files

Post Posted: Jan 30, 19 02:37

- UnallocatedClusters


I have two specific Excel files for analysis.

xls or xlsx? In the 2nd case, open the file with 7-Zip and the miracle begins. xls can be examined with Offvis for example (https://go.microsoft.com/fwlink/?LinkId=158791)

regards, Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

keydet89
Senior Member
 

Re: Forensic Analysis of Microsoft Excel Files

Post Posted: Jan 30, 19 05:18

For .xls files, or any OLE format files, consider:

www.mitec.cz/ssv.html

..or..

blog.didierstevens.com...ledump-py/

You can use either one to locate and extract the OLE streams that contain the code.

Something else you might consider is that any of the folder or directory objects within the OLE file will likely have time stamps associated with them...these might be helpful in determining the nature of the derivation.  
 
  

UnallocatedClusters
Senior Member
 

Re: Forensic Analysis of Microsoft Excel Files

Post Posted: Jan 30, 19 08:43

THANKS!!!  
 
  

keydet89
Senior Member
 

Re: Forensic Analysis of Microsoft Excel Files

Post Posted: Jan 30, 19 09:26

I used SSV yesterday to open an MSI file and extract a DLL from one of the streams...  
 

Page 1 of 1