Excel

What Is?

Excels auto-save feature. Microsoft Excel uses an XAR file to save documents under its AutoRecover feature. No matter what Excel file type is actively being used, all open files are periodically and automatically saved to a default location with this file extension.

https://www.lifewire.com/xar-file-2622433www.lifewire.com

Content retirementMicrosoftLearn

Forensic Value:

Can show existence of opened or deleted files on disk.

File Location:

C:\Users\USERNAME\AppData\Roaming\Microsoft\Excel\
- ~ar5D79.xar
C:\Users\USERNAME\AppData\Local\Microsoft\Office\UnsavedFiles

Parse Data:

.xar

Determine who created the docs:

##Unzip the .xar-file, open \docProps\core.xml, you will find:
<dc:creator>Username<</dc:creator><cp:lastModifiedBy>Username<</cp:lastModifiedBy>

Unsaved:

Windows:
- C:\Users\USERNAME\AppData\Local\Microsoft\Office\UnsavedFiles
Mac:
- /Users/Library/Containers/com.microsoft.Word/Data/Library/Preferences/AutoRecovery

Excel

What Is?

Forensic Value:

File Location:

Parse Data:

Considerations:

Example:

Analysis Tips:

Anti-Forensics:

hashtagWhat Is?

hashtagForensic Value:

hashtagFile Location:

hashtagParse Data:

hashtagConsiderations:

hashtagExample:

hashtagAnalysis Tips:

hashtagAnti-Forensics:

What Is?

Forensic Value:

File Location:

Parse Data:

Considerations:

Example:

Analysis Tips:

Anti-Forensics: