Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them. After many of the proverbial late nights and early mornings, Arsenal has now drastically improved the situation for our colleagues in digital forensics.
Let’s start at the beginning. The ODC is an intermediate data store for documents (and modifications to them) which are ultimately stored on OneDrive or SharePoint. The ODC is useful to Office users because it improves performance and ensures that documents (and modifications) will eventually be uploaded to OneDrive or SharePoint even though the users are currently offline or have a poor Internet connection. The ODC is useful to digital forensics practitioners because it often contains not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. The Office Upload Center manages the movement of documents and modifications to and from the Office Document Cache, OneDrive, and SharePoint.
This might all seem logical and straightforward, and you might expect (like we initially did) that parsing of ODC contents would be relatively easy. We now know that the ODC involves a combination of complicated data storage schemes, the likes of which we have never seen before.
If you practice digital forensics, your “forensic sense” should already be tingling.
On a recent case in which we knew contents of the ODC would be incredibly important, we decided to stop accepting scraps. Arsenal has established a clear precedent when it comes to engaging and solving difficult challenges, so we did our thing and for weeks turned our collective focus towards the ODC. What did our focus do for our case?
We were able to recover:
Completely intact documents deleted by the user and unavailable elsewhere
Document modifications (for one of the documents, 14 crucial modifications)
Metadata not only from the ODC database, but within modifications themselves
Some of the exciting things we learned along the way:
Each Windows user has their own ODC at \Users\(Username)\AppData\Local\Microsoft\Office\(Office Version)\OfficeFileCache
There are multiple user-related actions which result in the creation of FSD files within ODCs, including the simple act of opening a document from OneDrive or SharePoint
Files stored on OneDrive or SharePoint, which have nothing to do with Office (e.g. zip files), can sometimes be found in the ODC’s FSD files
Under certain circumstances, the contents of the OfficeFileCache folder can be found backed-up in Volume Shadow Copies
You may be able to recover deleted but still readily accessible contents of the OfficeFileCache folder
We have found the contents of the OfficeFileCache folders from previous Office versions may still exist, going quite far back in time (years)
While users can configure how long files are kept in the ODC, we find that they are usually retained for 14 days or more
Our next challenge was taking what we were able to do internally and turning it into a tool that could be used by our colleagues in digital forensics. After relentless effort from Joakim Schicht, and an enormous amount of testing from Costas Katsavounidis, ODC Recon was born!
Let’s take a quick look at the ODC’s OfficeFileCache folder from the SANS Donald Blake disk image after first being mounted by Arsenal Image Mounter in “Windows file system driver bypass” mode and then after being processed by ODC Recon:
Now let’s take a look at the ODC Recon output from a single FSD file provided by Costas, and a Word comparison of document versions 0 and 9:
You can see from just these two screenshots how powerful and unique ODC Recon is. Have you started searching your evidence for FSD files yet?
We are making an Alpha (v1.0.0.34) available to our existing customers today.
Getting back to Costas and his testing of internal builds of ODC Recon… he came across many interesting things that we will be sharing in “The Office Document Cache and Introducing ODC Recon – Part II.”
Good hunting!