In my last post, I discussed using an OLE timestamp to determine the last time an Excel spreadsheet was opened and closed without being saved. The last opened time can be very helpful, but wouldn’t it be nice to know more about who may have opened the file? The Last Saved By metadata field will help if the file was saved after it was opened, but it may not provide additional information if the file was not saved. However, the file’s Workbook stream, comprised of a Binary Interchange File Format (BIFF) data structure, includes a field that records the user name associated with the account that last opened the Excel spreadsheet. This data is recorded regardless of whether the file is saved and can provide information regarding the last user that opened the file.
|Write Access User Name record|
Finding the Record
Parsing the data from the Write Access User Name record within an Excel spreadsheet saved in the OLE compound file format can provide an examiner with a metadata field that may be equated to the “Last Opened By” user. This can be particularly helpful when a limited set of data is provided for analysis or otherwise any time information regarding the last time a spreadsheet was opened is significant. By combining this data with the OLE Root Entry last modified time, it is possible for an examiner to determine the last time an Excel spreadsheet was opened as well as the user name associated with the account that opened the spreadsheet, even if the file was not saved and nothing other than the file itself is available for analysis.
Microsoft Excel (xls) Binary File Format Specification