Readme.md

Office Upload Center

• The Office Document Cache and Introducing ODC Recon – Part I (blog post)
  
  

---

• OfficeFileCache.exe (x64): CentralTable.accdb/db, FSD & FSF parser. Updated to extract data from either an SQLite (Android, iOS, MAC OS) or a MSAccess Accdb (Windows) centraltable database depending on the source of the OfficeFileCache folder. Optionally exports output to csv.
  Just point it to an OfficeFileCache folder ...
  

  • Requires Microsoft Access Database Engine ODBC driver and/or System.Data.SQLite.dll - If user opts in, will install them the first time needed (Installation log saved in Env:Temp) - or they can be installed manually.
    

    

---

• ODCreconGUI.exe: x64 GUI for ArsenalRecon's ODCrecon64.exe. Extracts OOXML documents from FSD files. Obviously, it requires ODCrecon64.exe ;-)
  

  

---

• ODCreg.ps1: Powershell script to parse an NTuser.dat hive file for Microsoft Office roaming Metadata (Microsoft/Sharepoint IDs, files opened from Skydrive/Sharepoint & related timestamps). Exports output to a .txt csv file. Requires to be run as Administrator
  

---

• ODC-FSD.exe: Parse the OfficeFileCache FSD files in a folder and get FSD size and filename & url of the embedded file. Exports output to a .txt file.
  

---

• ODC-FSF.exe: Parse the OfficeFileCache FSF files in a folder and get the embedded FSD GUID. Exports output to a .txt file.
  

---

• OneDrive.ps1: Powershell script to list all MS Accounts associated with Onedrive, from a user's NTuser.dat. Requires to be run as Administrator
  

---

• OfficeMRU.ps1: Powershell script to list the most recently used (MRU) files/folders in MS Office applications, from a user's NTuser.dat. Requires to be run as Administrator
  

---

• MruServiceCache.ps1: Powershell script to parse the contents of the json files in an 'MruServiceCache' folder (Office16+ only)
  
• MruServiceCache.exe: Same as a standalone exe.
  

---

• Backstage.ps1: Powershell script to parse the contents of the json files in a 'BackstageInAppNavCache' folder (Office16+ only)
  
• Backstagex64.exe: Same as a standalone exe.
  Blog post, Python Script

---

• Note1: The output exported from the above scripts are set to be saved as (csv) .txt files in the $env:TEMP folder.
• Note2: The CentralTable.accdb points to the GUID in the FSF filename, and the FSF contains the GUID of the respective File Store Data (FSD) container.