Excel

What Is?

Excels auto-save feature. Microsoft Excel uses an XAR file to save documents under its AutoRecover feature. No matter what Excel file type is actively being used, all open files are periodically and automatically saved to a default location with this file extension.

What's an XAR File and How Do You Open One?Lifewire

Description of the Auto-Recover functions in Excel - Microsoft 365 AppsMicrosoftLearn

Forensic Value:

Can show existence of opened or deleted files on disk.

File Location:

C:\Users\USERNAME\AppData\Roaming\Microsoft\Excel\
- ~ar5D79.xar
C:\Users\USERNAME\AppData\Local\Microsoft\Office\UnsavedFiles

Parse Data:

.xar

Determine who created the docs:

##Unzip the .xar-file, open \docProps\core.xml, you will find:
<dc:creator>Username<</dc:creator><cp:lastModifiedBy>Username<</cp:lastModifiedBy>

Unsaved:

Windows:
- C:\Users\USERNAME\AppData\Local\Microsoft\Office\UnsavedFiles
Mac:
- /Users/Library/Containers/com.microsoft.Word/Data/Library/Preferences/AutoRecovery

DFIR

Excel

What Is?

Forensic Value:

File Location:

Parse Data:

Considerations:

Example:

Analysis Tips:

Anti-Forensics: