What's New at DFIR Training

June 20, 2020. Regularly updated, never outdone, check out the latest additions to keep up on your DFIR training! Website updates. DFIR Subcontractor listings, Forensic Artifacts and more.

 Enter for a chance to win a Guardonix Write Blocker!

Enter your name/email address here: I WANT TO WIN!

Arsenal Recon Backstage Parser

Arsenal Recon Backstage Parser

42

DFIR Tools

Developer
License Type
Free
Forensic Utilities - Misc
Applications
 
Arsenal's Backstage Parser is a python tool that can be used to parse the contents of Microsoft Office files found in the “\Users(User)\AppData\Local\Microsoft\Office\16.0\BackstageinAppNavCache” path.

David Cowen from C-G Partners blogged in October 2018 (http://www.learndfir.com/2018/10/18/daily-blog-510-office-2016-backstage-artifacts/) about interesting information left behind by the use of Microsoft Office’s “Backstage” view. Arsenal’s Brian Gerdon found the Backstage references to both local and remote folder paths, which were no longer available, particularly interesting. According to Microsoft (https://support.office.com/en-us/article/start-backstage-with-the-file-tab-04610088-406c-43d0-98a0-c1999ab4ef53), "When you start a Microsoft Office program, or after you click the File tab, you can see the Microsoft Office Backstage view. If you need to create a new file, open an existing file, print, save, change options or more, Backstage is the place to do it. In short, it is everything that you do to a file that you don't do in the file.”
 

User comments

There are no user comments for this listing.