Home

To reconstruct an Excel file does require a good knowledge of the Excel structure.  The PDF documentation is about 350 pages long and can be downloaded from Microsoft at http://www.microsoft.com/interop/docs/OfficeBinaryFormats.mspx#ESB

 

The following notes may assist with carving Excel Files.

It is assumed that the first header block is available, with an example shown below.

00000000   D0 CF 11 E0 A1 B1 1A E1 - 00 00 00 00 00 00 00 00    ��ࡱ�       

00000010   00 00 00 00 00 00 00 00 - 3E 00 03 00 FE FF 09 00            >  �� 

00000020   06 00 00 00 00 00 00 00 - 00 00 00 00 02 00 00 00                 

00000030   01 00 00 00 00 00 00 00 - 00 10 00 00 02 00 00 00   
            

00000040   01 00 00 00 FE FF FF FF - 00 00 00 00 00 00 00 00   
   ����       

00000050   74 00 00 00 FF FF FF FF - FF FF FF FF FF FF FF FF    t   ������������

00000060   FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF    ����������������

The block pointed to at offset, 0x01 in this example is the Root Entry

00000400   52 00 6F 00 6F 00 74 00 - 20 00 45 00 6E 00 74 00    R o o t   E n t

00000410   72 00 79 00 00 00 00 00 - 00 00 00 00 00 00 00 00    r y            

00000420   00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00                   

Pointers always start after the header block, so block 1 is byte offset 0x400

The pointer at location 0x4c is the allocation table and in this case it is 0x00

00000200   FD FF FF FF 89 00 00 00 - FE FF FF FF 8A 00 00 00    �����   �����  

00000210   05 00 00 00 06 00 00 00 - 07 00 00 00 08 00 00 00               

00000220   09 00 00 00 0A 00 00 00 - 0B 00 00 00 0C 00 00 00                   

The second pointer, 0x74 is the next part of the allocation table, that will typically start with 4 byte values, 0x81  0x82 such as

00000200   81 00 00 00 82 00 00 00 - 83 00 00 00 84 00 00 00    �   �   �   �  

00000210   85 00 00 00 86 00 00 00 - 87 00 00 00 88 00 00 00    �   �   �   �  

00000220   FE FF FF FF FE FF FF FF - FE FF FF FF FF FF FF FF    ����������������

This will be found at location 0xEA00 in the file

In the example above, the cluster size is 4 (0x800 bytes) so the Root entry and first FAT pointer will be contained within the header.  However, the second FAT pointer should be in cluster 0x1D, but as this was not the case it has to be searched for, by entering a location of EA00 and the values 0x81  0x82

The starting point to search from is the start of the file, 0 or 1 is OK.  This string could be found in many Excel files and so it is useful to know the length of the file.  As there are only 2 FAT pointers, the chances are that the second pointer will not be entriely full.  If all 128 entries are used in the 0x200 byte block, then this entry probably belongs to a longer file.  In this case the Search Again function can be used to find a better entry.  In this example, it was a deleted FAT file, so the file length was known to be 0x11800, or no more tha 0x8C clusters.  With the terminating cluster pointer being 0x89, this looks a very good match, and so should be saved in cluster 0x1d of the reconstructed file.