MS Office Backstage Parser (bs)

Introduction

With the newer versions of Microsoft (MS) Office programs, when you first start Office you will be presented with the Backstage view. From this view, you can create a new document (using a pre-created template) or open an existing file. One can also see the most recently used files listed on the left side of the view.

In order for MS Office to render the history data, it makes use of some persistent information stored on the computer. For MS Office 2016, this file history data is contained in a new set of files located in the MyComputer folder or other folders that designate remote shares. C:\Users\<acct>\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\MyComputer

The files residing in this directory can be either delimited text or json formatted text, and are named with a 64-character hexadecimal string.

menu

When parsing the data in backstage files, of interest to the analyst is the data that contains references to file and folder paths (both local and remote), each timestamped with the last modified time. So, while the records identify files and folders used in the past, it doesn't necesarily mean they still exist on the system. Therefore, this data can be good in identifying user activity in conjunction with certain files even after these same files may have been deleted or moved elsewhere.

How to use this tool

Many of the options used in previous TZWorks tools are carried forward with this tool. One can open an individual file and process it or enumerate a folder of files and pipe them into the tool for batch processing. Timestamps can be manipulated so as to affect the desired resolution and/or format. Reports can be rendered either in CSV, Log2Timeline, or bodyfile formats. Below are the options for this tool.

menu

For More information

The user's guide can be viewed here

If you would like more information about this tool, contact us via email.

Downloads

Intel 32-bit VersionIntel 64-bit VersionARM 64-bit Version
Windows:bs32.v.0.21.win.zipbs64.v.0.21.win.zipbs64a.v.0.21.win.zipmd5/sha1
Linux:bs32.v.0.21.lin.tar.gzbs64.v.0.21.lin.tar.gzbs64a.v.0.21.lin.tar.gzmd5/sha1
Mac OS X:Not Availablebs.v.0.21.dmgbs.v.0.21.dmgmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.