October 25, 2019
Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them. After many of the proverbial late nights and early mornings, Arsenal has now drastically improved the situation for our colleagues in digital forensics.
Let’s start at the beginning. The ODC is an intermediate data store for documents (and modifications to them) which are ultimately stored on OneDrive or SharePoint. The ODC is useful to Office users because it improves performance and ensures that documents (and modifications) will eventually be uploaded to OneDrive or SharePoint even though the users are currently offline or have a poor Internet connection. The ODC is useful to digital forensics practitioners because it often contains not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. The Office Upload Center manages the movement of documents and modifications to and from the Office Document Cache, OneDrive, and SharePoint.
This might all seem logical and straightforward, and you might expect (like we initially did) that parsing of ODC contents would be relatively easy. We now know that the ODC involves a combination of complicated data storage schemes, the likes of which we have never seen before.
If you practice digital forensics, your “forensic sense” should already be tingling.
On a recent case in which we knew contents of the ODC would be incredibly important, we decided to stop accepting scraps. Arsenal has established a clear precedent when it comes to engaging and solving difficult challenges, so we did our thing and for weeks turned our collective focus towards the ODC. What did our focus do for our case?
We were able to recover:
- Completely intact documents deleted by the user and unavailable elsewhere
- Document modifications (for one of the documents, 14 crucial modifications)
- Metadata not only from the ODC database, but within modifications themselves
Some of the exciting things we learned along the way:
- Each Windows user has their own ODC at \Users\(Username)\AppData\Local\Microsoft\Office\(Office Version)\OfficeFileCache
- There are multiple user-related actions which result in the creation of FSD files within ODCs, including the simple act of opening a document from OneDrive or SharePoint
- Files stored on OneDrive or SharePoint, which have nothing to do with Office (e.g. zip files), can sometimes be found in the ODC’s FSD files
- Under certain circumstances, the contents of the OfficeFileCache folder can be found backed-up in Volume Shadow Copies
- You may be able to recover deleted but still readily accessible contents of the OfficeFileCache folder
- We have found the contents of the OfficeFileCache folders from previous Office versions may still exist, going quite far back in time (years)
- While users can configure how long files are kept in the ODC, we find that they are usually retained for 14 days or more
- The largest number of modifications to a single document that we have recovered from a single FSD file is 204
Our next challenge was taking what we were able to do internally and turning it into a tool that could be used by our colleagues in digital forensics. After relentless effort from Joakim Schicht, and an enormous amount of testing from Costas Katsavounidis, ODC Recon was born!
Let’s take a quick look at the ODC’s OfficeFileCache folder from the SANS Donald Blake disk image after first being mounted by Arsenal Image Mounter in “Windows file system driver bypass” mode and then after being processed by ODC Recon:
Now let’s take a look at the ODC Recon output from a single FSD file provided by Costas, and a Word comparison of document versions 0 and 9:
You can see from just these two screenshots how powerful and unique ODC Recon is. Have you started searching your evidence for FSD files yet?
We are making an Alpha (v126.96.36.199) available to our existing customers today.
Getting back to Costas and his testing of internal builds of ODC Recon… he came across many interesting things that we will be sharing in “The Office Document Cache and Introducing ODC Recon – Part II.”
So, if you need to access EFS-encrypted files, you do not have the user’s Windows password, and you may even be dealing with an “IT gone rogue” (i.e. you cannot rely on help from IT – e.g. one or more may be suspects!) scenario, what are your options?
Arsenal is unlike other digital forensics software vendors in the sense that we are consultants involved in casework first and software developers second. We build tools when we find valuable information being left behind by existing tools and techniques.
In “BitLocker for DFIR – Part I” we provided a quick summary of BitLocker, details regarding the various “states” of BitLocker volumes that we see most often in our casework, and some thoughts on things that are particularly relevant to digital forensics and incident response practitioners. We will now discuss launching virtual machines from BitLockered disk images.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions