Microsoft Office Telemetry: Tracking Your Every Move
Talk, Westin Washington Dulles, Herndon, VA, Herndon, VA
Starting with Office 2013, Microsoft has released a “compatibility monitoring framework” to help enterprise IT staff management deployments. In doing so, they created a gold mine of data for forensic examiners. Office Telemetry logging includes handy tidbits of data such as: date and time a document was opened and closed, and by which user; metadata about the document that was opened (size, title, author, Office version, etc.); whether the document has specific metadata such as VBA macros or external data connections; and more. To support forensic examiners, a Python utility and Autopsy module have been developed that will parse the telemetry logs and output a detailed spreadsheet, or add blackboard artifacts and a report in Autopsy. Office Telemetry data has been found to provide immense value in creating timelines, as it substantially enriches file system metadata. To date, this valuable source of forensic information is not being parsed by existing forensic tools.