Blog >> Microsoft Office

Investigating Microsoft Office

21/01/2022 Friday

Microsoft Office is a set of office/productivity related applications widely used around the world. Microsoft Office includes a variety of applications such as Microsoft Word, Excel, Access and Microsoft PowerPoint. Each application is designed to offer a specific task or service to its users. For example, word processing, managing emails, and creating presentations. Microsoft Office applications are available on desktop, mobile, and via web browsers.


Digital Forensics Value of Microsoft Office Artifacts


Microsoft Office documents are everywhere. They are one of the most common electronic documents used around the world. Given its popularity and broad usage, Microsoft Office suite software is considered an important source of evidentiary information during the digital forensic analysis process. Microsoft Office artifacts retain information such as the user ID, the files and directories recently accessed by the user and other valuable information that can be vital when conducting digital forensic investigations.


Location of Microsoft Office Artifacts


Microsoft Office artifacts are stored in NTUSER.DAT registry hive. If the user is not signed into a Live account, the files and directories recently accessed by Access, Excel, Word, PowerPoint, and Publisher are found in the following subkeys:


However, when a user signs into a Live account through the sign in option, a LiveId_xxx subkey is created for each new Live account. Therefore, the File MRU and Place MRU of each user will be maintained within this key at the following locations:


Similarly, Microsoft Office Word Reading Locations artifact is found in NTUSER.DAT registry hive. Unlike Microsoft Office Recent Files and Recent Places artifacts, however, this information is created when a document in Word is closed and it is stored under the Office key at the following location:


Analyzing Microsoft Office Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast to analyze Microsoft Office artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Selection phase, you can select Microsoft Office artifacts:




ArtiFast can analyze Microsoft Office Recent Files, Recent Places and Microsoft Office Word Reading Locations. For demonstration purposes, all the artifacts have been chosen, however, you have the option to select one or more artifacts.



Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Microsoft Office artifacts in ArtiFast.


Microsoft Office Recent Files Artifact

This artifact contains information related to the recently accessed files. The details you can view include:


Microsoft Office Recent Places Artifact

This artifact contains information related to the recent directories of the files. The details you can view include:


Microsoft Office Word Reading Locations Artifact

Microsoft Word allows users to continue reading or editing a document starting at the last point they were working on by tracking the positioning of the cursor in the document. This artifact contains information related to this feature. The details you can view include:



For more information or suggestions please contact: [email protected]