Difference between revisions of "Sticky Notes"

From Forensics Wiki
Jump to: navigation, search
Line 3: Line 3:
 
Sticky Notes are a feature of Windows 7 that allows a user to create sticky notes on their desktop.  The functionality of this feature is somewhat limited, in that the user can change the text, font, color, location and size of the sticky notes, but not much else.
 
Sticky Notes are a feature of Windows 7 that allows a user to create sticky notes on their desktop.  The functionality of this feature is somewhat limited, in that the user can change the text, font, color, location and size of the sticky notes, but not much else.
  
Sticky Notes are maintained in a single file (stickynotes.snt) located in the user's profile ("%UserProfile%\AppData\Roaming\Microsoft\Sticky Notes").  This file is based on the MS [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx OLE/compound file] binary format.
+
Sticky Notes are maintained in a single file (stickynotes.snt) located in the user's profile ("%UserProfile%\AppData\Roaming\Microsoft\Sticky Notes").  This file is based on the MS [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx OLE/compound file] binary format.  The .snt file can be opened and viewed using the [http://http://www.mitec.cz/ssv.html MiTec Structured Storage Viewer]. 
 +
 
 +
When sticky notes files are created, an OLE storage stream using a name similar to "e3a17883-cfd8-11e0-8" is added to the stickynotes.snt file.  Each storage stream has three file streams associated with it, and for all sticky notes, they are named 0, 1, and 3.  The 0 stream contains the rich text format (RTF) "document" for the sticky note, and the 3 stream contains the actual text of the sticky note, in Unicode format.
 +
 
 +
The forensic value of Sticky Notes has yet to be determined or demonstrated.  The Root Entry of the OLE format file will have a modification time associated with it, and each of the storage streams the contain the sticky notes will have creation and modification times associated with them.  These times are maintained in the [http://msdn.microsoft.com/en-us/library/ms724284%28v=vs.85%29.aspx FILETIME] format.  These times can be included in a timeline of system activity in order to demonstrate user activity on the system.

Revision as of 15:47, 27 August 2011

Sticky Notes

Sticky Notes are a feature of Windows 7 that allows a user to create sticky notes on their desktop. The functionality of this feature is somewhat limited, in that the user can change the text, font, color, location and size of the sticky notes, but not much else.

Sticky Notes are maintained in a single file (stickynotes.snt) located in the user's profile ("%UserProfile%\AppData\Roaming\Microsoft\Sticky Notes"). This file is based on the MS OLE/compound file binary format. The .snt file can be opened and viewed using the MiTec Structured Storage Viewer.

When sticky notes files are created, an OLE storage stream using a name similar to "e3a17883-cfd8-11e0-8" is added to the stickynotes.snt file. Each storage stream has three file streams associated with it, and for all sticky notes, they are named 0, 1, and 3. The 0 stream contains the rich text format (RTF) "document" for the sticky note, and the 3 stream contains the actual text of the sticky note, in Unicode format.

The forensic value of Sticky Notes has yet to be determined or demonstrated. The Root Entry of the OLE format file will have a modification time associated with it, and each of the storage streams the contain the sticky notes will have creation and modification times associated with them. These times are maintained in the FILETIME format. These times can be included in a timeline of system activity in order to demonstrate user activity on the system.