Microsoft’s “Office Document Cache” (hereafter, ODC) is complex, infuriating, and misunderstood. For years there have been digital forensics practitioners who knew how valuable information within ODCs was (especially within FSD files), but they were essentially left with scraps after throwing existing tools and techniques against them. After many of the proverbial late nights and early mornings, Arsenal has now drastically improved the situation for our colleagues in digital forensics.

Let’s start at the beginning. The ODC is an intermediate data store for documents (and modifications to them) which are ultimately stored on OneDrive or SharePoint. The ODC is useful to Office users because it improves performance and ensures that documents (and modifications) will eventually be uploaded to OneDrive or SharePoint even though the users are currently offline or have a poor Internet connection.

The ODC Recon is useful to digital forensics practitioners because it often contains not only multiple versions of Office documents, but Office documents which are no longer available elsewhere. The Office Upload Center manages the movement of documents and modifications to and from the Office Document Cache, OneDrive, and SharePoint.

This might all seem logical and straightforward, and you might expect (like we initially did) that parsing of ODC contents would be relatively easy. We now know that the ODC involves a combination of complicated data storage schemes, the likes of which we have never seen before.

If you practice digital forensics, your “forensic sense” should already be tingling.

On a recent case in which we knew contents of the ODC would be incredibly important, we decided to stop accepting scraps. Arsenal has established a clear precedent when it comes to engaging and solving difficult challenges, so we did our thing and for weeks turned our collective focus towards the ODC. What did our focus do for our case?

We were able to recover:

• Completely intact documents deleted by the user and unavailable elsewhere
• Document modifications (for one of the documents, 14 crucial modifications)
• Metadata not only from the ODC database, but within modifications themselves

Some of the exciting things we learned along the way:

• Each Windows user has their own ODC at\Users\(Username)\AppData\Local\Microsoft\Office\(Office Version)\Office File Cache
• There are multiple user-related actions which result in the creation of FSD files within ODC Recon, including the simple act of opening a document from OneDrive or SharePoint
• Files stored on OneDrive or SharePoint, which have nothing to do with Office (e.g. zip files), can sometimes be found in the ODC’s FSD files
• Under certain circumstances, the contents of the Office File Cache folder can be found backed-up in Volume Shadow Copies
• You may be able to recover deleted but still readily accessible contents of the Office File Cache folder
• We have found the contents of the Office File Cache folders from previous Office versions may still exist, going quite far back in time (years)
• While users can configure how long files are kept in the ODC, we find that they are usually retained for 14 days or more

• The largest number of modifications to a single document that we have recovered from a single FSD file is 204204204

Our next challenge was taking what we were able to do internally and turning it into a tool that could be used by our colleagues in digital forensics. After relentless effort from Joakim Schicht, and an enormous amount of testing from Costas Katsavounidis, ODC Recon was born!

Let’s take a quick look at the ODC’s OfficeFileCache folder from the SANS Donald Blake disk image after first being mounted by Arsenal Image Mounter in “Windows file system driver bypass” mode and then after being processed by ODC Recon: