XLSX forensic analysis of changes

Question

I am having an XLSX file (Microsoft Excel) which was modified by an unknown 3rd party. Track-changes were not enabled. Are there any possibilities to extract some forensic information regarding:

• Events (action, time)
• User (username, hostname, ip address)

I have renamed the file to ZIP and extracted the content. It looks like there might be some promising details when it comes to the following files:

• comments1.xml
• styles.xml
• sharedStrings.xml
• printerSettings([0-9]+).bin

But in my case I was not able to find anything useful.

Answer 1

I was able to find something interesting which was very useful in my case.

There is a file called sharedStrings.xml, which contains all strings used in one or more cells in a worksheet. Worksheets themselves do refer to this file to save resources.

The strings in the Shared Strings file are documented sequentially. If you have a specific malicious event (e.g. somebody wrote or overwrote a cell content), you may be able to determine all activities before and after.

Example content of sharedStrings.xml:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="3" uniqueCount="3"><si><t>First input</t></si><si><t>Second input</t></si><si><t>Third input</t></si></sst>

Leads to this sequence of actions:

1. Added new cell content First input
2. Added new cell content Second input
3. Added new cell content Third input

If the content of a cell is replaced, the whole entry in this file is replaced too (there is no auditability). The same goes if the content of a cell is deleted. The whole entry will be deleted too.

In my case, it was possible to determine which user might have handled the cell contents before and after the malicious event. This does not lead to a specific suspect, but it narrowed down the list of possible suspects.