Microsoft Office Telemetry: Tracking Your Every Move

Samuel Koffman
U.S. Government


Starting with Office 2013, Microsoft has released a “compatibility monitoring framework” to help enterprise IT staff management deployments. In doing so, they created a gold mine of data for forensic examiners. Office Telemetry logging includes handy tidbits of data such as: date and time a document was opened and closed, and by which user; metadata about the document that was opened (size, title, author, Office version, etc.); whether the document has specific metadata such as VBA macros or external data connections; and more. To support forensic examiners, a Python utility and Autopsy module have been developed that will parse the telemetry logs and output a detailed spreadsheet, or add blackboard artifacts and a report in Autopsy. Office Telemetry data has been found to provide immense value in creating timelines, as it substantially enriches file system metadata. To date, this valuable source of forensic information is not being parsed by existing forensic tools.

Samuel Koffman

Sam Koffman has been working cyber crime and digital forensic investigations for the federal government for almost 15 years, first with the U.S. Secret Service, and then with the U.S. Department of the Treasury. Throughout his career, Sam has investigated network intrusions into financial institutions and payment processors, as well as network attacks against critical infrastructure support the Secret Service’s protective mission. Currently, Sam is focused on forensic investigations of enterprise-class systems in use across the financial sector.