Sticky Notes Analysis
Another cool feature for Windows 7 systems is the built-in Sticky Notes application, which allows the user to create little reminders for themselves on the desktop, just like with regular Sticky Notes IRL. Having written a Jump List parser and knowing (thanks to Troy Larson) that Sticky Notes also follow the MS compound document binary format, I decided to take a look at writing a parser for Sticky Notes. One of the interesting aspects of the OLE format is the amount of metadata (particularly time stamps) that are simply a "feature" of the format.
When a user creates sticky notes, they appear on the desktop like...well...sticky notes. Users can change fonts and colors for their notes, but for the most part, the available functionality is pretty limited. Now, all of the sticky notes end up in a single file, found within the user's profile (path is "%UserProfile%\AppData\Roaming\Microsoft\Sticky Notes"), named StickyNotes.snt.
So what is the potential forensic value of sticky notes? Well, it kind of depends on your case, what you're looking for, what you're trying to show, etc. For example, it's possible that a user may have sticky notes that contain information regarding people they know (contacts), appointments or meetings that they may have, etc. As far as visible content, we may not really get an idea of what's there until we start to see them used by the user. Based on the format used, there is additional information available. Remember that all sticky notes appear in one file, so the file system MACB times apply to the file as a whole. However, each individual sticky note is held in an OLE storage stream, which has creation and modification dates associated with it. Opening the Sticky Notes file in MiTeC's Structured Storage Viewer, you can see that the file has several streams; Version, Metafile, as well as the storage streams (i.e., folders with 17 character names) that each "contain" streams named 0, 1, and 3. In each case, the "0" stream contains the complete RTF "document" for the sticky note (which can be extracted and opened in WordPad), and the "3" stream contains the text of the sticky note, in Unicode format.
Now, because the storage streams for each sticky note have creation and modification dates, we can use this information in timeline analysis to demonstrate user activity during specific time frames. Extracting the "B" (creation) and "M" (modification) times, we can add this information to a timeline in order to demonstrate shell-based access to the system by a specific user.
Again, the usefulness of this information is predicated on the actual use of Sticky Notes, but automating the collection of this information allows us to quickly add context to a timeline with minimal effort. That's where programming (Perl) comes into play. I don't see Sticky Notes and Jump Lists being picked up as part of Windows 7 analysis processes any time soon, as analysts really don't seem to be seeing either of these as valuable forensic resources...yet. However, having an automated, cross-platform parsing capability now allows me to do further research and analysis, as well as incorporate it into a more comprehensive analysis framework.
For example, I wondered, "what happens if the user has no Sticky Notes on their desktop?" Well, that doesn't mean that an analyst shouldn't look for the stickynotes.snt file. Here's what I did...I created a bunch of sticky notes with various messages on my desktop and copied the *.snt file off of my system. Then I deleted all of the Sticky Notes, and again, copied the *.snt file. This second file only contained the Metafile and Version streams, but the Metafile stream still contained the names of all of the previously created sticky notes (see the above graphic); however, as of yet, this stream doesn't appear to contain any recognizable time stamps . The good news is that the modification time of the Root Entry reflected when the last sticky note was deleted. Like I mentioned earlier in this post, understanding the underlying format of a storage container allows an analyst to exploit available information wherever they may find it.
When a user creates sticky notes, they appear on the desktop like...well...sticky notes. Users can change fonts and colors for their notes, but for the most part, the available functionality is pretty limited. Now, all of the sticky notes end up in a single file, found within the user's profile (path is "%UserProfile%\AppData\Roaming\Microsoft\Sticky Notes"), named StickyNotes.snt.
So what is the potential forensic value of sticky notes? Well, it kind of depends on your case, what you're looking for, what you're trying to show, etc. For example, it's possible that a user may have sticky notes that contain information regarding people they know (contacts), appointments or meetings that they may have, etc. As far as visible content, we may not really get an idea of what's there until we start to see them used by the user. Based on the format used, there is additional information available. Remember that all sticky notes appear in one file, so the file system MACB times apply to the file as a whole. However, each individual sticky note is held in an OLE storage stream, which has creation and modification dates associated with it. Opening the Sticky Notes file in MiTeC's Structured Storage Viewer, you can see that the file has several streams; Version, Metafile, as well as the storage streams (i.e., folders with 17 character names) that each "contain" streams named 0, 1, and 3. In each case, the "0" stream contains the complete RTF "document" for the sticky note (which can be extracted and opened in WordPad), and the "3" stream contains the text of the sticky note, in Unicode format.
Now, because the storage streams for each sticky note have creation and modification dates, we can use this information in timeline analysis to demonstrate user activity during specific time frames. Extracting the "B" (creation) and "M" (modification) times, we can add this information to a timeline in order to demonstrate shell-based access to the system by a specific user.
Again, the usefulness of this information is predicated on the actual use of Sticky Notes, but automating the collection of this information allows us to quickly add context to a timeline with minimal effort. That's where programming (Perl) comes into play. I don't see Sticky Notes and Jump Lists being picked up as part of Windows 7 analysis processes any time soon, as analysts really don't seem to be seeing either of these as valuable forensic resources...yet. However, having an automated, cross-platform parsing capability now allows me to do further research and analysis, as well as incorporate it into a more comprehensive analysis framework.
For example, I wondered, "what happens if the user has no Sticky Notes on their desktop?" Well, that doesn't mean that an analyst shouldn't look for the stickynotes.snt file. Here's what I did...I created a bunch of sticky notes with various messages on my desktop and copied the *.snt file off of my system. Then I deleted all of the Sticky Notes, and again, copied the *.snt file. This second file only contained the Metafile and Version streams, but the Metafile stream still contained the names of all of the previously created sticky notes (see the above graphic); however, as of yet, this stream doesn't appear to contain any recognizable time stamps . The good news is that the modification time of the Root Entry reflected when the last sticky note was deleted. Like I mentioned earlier in this post, understanding the underlying format of a storage container allows an analyst to exploit available information wherever they may find it.