Excel

What Is?

Excels auto-save feature. Microsoft Excel uses an XAR file to save documents under its AutoRecover feature. No matter what Excel file type is actively being used, all open files are periodically and automatically saved to a default location with this file extension.

What's an XAR File and How Do You Open One?Lifewire

Description of the Auto-Recover functions in Excel - Microsoft 365 AppsMicrosoftLearn

Forensic Value:

Can show existence of opened or deleted files on disk.

File Location:

• C:\Users\USERNAME\AppData\Roaming\Microsoft\Excel\

  • ~ar5D79.xar

• C:\Users\USERNAME\AppData\Local\Microsoft\Office\UnsavedFiles

Offline System

Live System

Parse Data:

.xar

• Determine who created the docs:

##Unzip the .xar-file, open \docProps\core.xml, you will find:
<dc:creator>Username<</dc:creator><cp:lastModifiedBy>Username<</cp:lastModifiedBy>

Unsaved:

• Windows:

  • C:\Users\USERNAME\AppData\Local\Microsoft\Office\UnsavedFiles

• Mac:

  • /Users/Library/Containers/com.microsoft.Word/Data/Library/Preferences/AutoRecovery

Considerations:

Example:

Analysis Tips:

Anti-Forensics: