Saturday, August 27, 2011

Sticky Notes Analysis

Another cool feature for Windows 7 systems is the built-in Sticky Notes application, which allows the user to create little reminders for themselves on the desktop, just like with regular Sticky Notes IRL.  Having written a Jump List parser and knowing (thanks to Troy Larson) that Sticky Notes also follow the MS compound document binary format, I decided to take a look at writing a parser for Sticky Notes.  One of the interesting aspects of the OLE format is the amount of metadata (particularly time stamps) that are simply a "feature" of the format.

When a user creates sticky notes, they appear on the desktop like...well...sticky notes.  Users can change fonts and colors for their notes, but for the most part, the available functionality is pretty limited.  Now, all of the sticky notes end up in a single file, found within the user's profile (path is "%UserProfile%\AppData\Roaming\Microsoft\Sticky Notes"), named StickyNotes.snt.

So what is the potential forensic value of sticky notes?  Well, it kind of depends on your case, what you're looking for, what you're trying to show, etc.  For example, it's possible that a user may have sticky notes that contain information regarding people they know (contacts), appointments or meetings that they may have, etc.  As far as visible content, we may not really get an idea of what's there until we start to see them used by the user.  Based on the format used, there is additional information available.  Remember that all sticky notes appear in one file, so the file system MACB times apply to the file as a whole.  However, each individual sticky note is held in an OLE storage stream, which has creation and modification dates associated with it.  Opening the Sticky Notes file in MiTeC's Structured Storage Viewer, you can see that the file has several streams; Version, Metafile, as well as the storage streams (i.e., folders with 17 character names) that each "contain" streams named 0, 1, and 3.  In each case, the "0" stream contains the complete RTF "document" for the sticky note (which can be extracted and opened in WordPad), and the "3" stream contains the text of the sticky note, in Unicode format.

Now, because the storage streams for each sticky note have creation and modification dates, we can use this information in timeline analysis to demonstrate user activity during specific time frames.  Extracting the "B" (creation) and "M" (modification) times, we can add this information to a timeline in order to demonstrate shell-based access to the system by a specific user.

Again, the usefulness of this information is predicated on the actual use of Sticky Notes, but automating the collection of this information allows us to quickly add context to a timeline with minimal effort.  That's where programming (Perl) comes into play.  I don't see Sticky Notes and Jump Lists being picked up as part of Windows 7 analysis processes any time soon, as analysts really don't seem to be seeing either of these as valuable forensic resources...yet. However, having an automated, cross-platform parsing capability now allows me to do further research and analysis, as well as incorporate it into a more comprehensive analysis framework.

For example, I wondered, "what happens if the user has no Sticky Notes on their desktop?"  Well, that doesn't mean that an analyst shouldn't look for the stickynotes.snt file.  Here's what I did...I created a bunch of sticky notes with various messages on my desktop and copied the *.snt file off of my system.  Then I deleted all of the Sticky Notes, and again, copied the *.snt file.  This second file only contained the Metafile and Version streams, but the Metafile stream still contained the names of all of the previously created sticky notes (see the above graphic); however, as of yet, this stream doesn't appear to contain any recognizable time stamps .  The good news is that the modification time of the Root Entry reflected when the last sticky note was deleted. Like I mentioned earlier in this post, understanding the underlying format of a storage container allows an analyst to exploit available information wherever they may find it.

7 comments:

Joe Garcia said...

Hey Harlan,

It's good to see that someone else sees potential value in this artifact.

I hope that my blog post on the SANS Forensics Blog regarding Sticky Notes (http://computer-forensics.sans.org/blog/2010/10/19/digital-forensics-stuck-stickies-2/) was an inspiration for this :)

Joe G.

H. Carvey said...

Sorry, Joe...I hadn't done any sort of literature search beyond getting the OLE binary file specs before writing my code...

H. Carvey said...

Joe,

I took another look at your SANS forensic blog post this morning, and saw that you pointed out some artifacts of interest (ie, searching for ASCII or hex strings). However, "fs22" doesn't really denote "the beginning of each note", although what you find does correlate with the string for the text contained in the note. I do think that this may be useful for carving, if Sticky Notes are an item of interest.

Sticky Notes are maintained using the OLE/compound document format, which means that they can be parsed and that a good deal of forensically-useful data (ie, time stamps) can be retrieved.

Thanks for your efforts, and for posting your findings.

Jibran Ilyas said...

"However, each individual sticky note is held in an OLE storage stream, which has creation and modification dates associated with it." Good to hear that!!!

"The good news is that the modification time of the Root Entry reflected when the last sticky note was deleted." Nice!

Harlan,
This is a great write up of Sticky Notes. I have a potential engagement with four Win 7 PCs coming up, I can't wait to do the Jump List and Sticky Note analysis on them.

H. Carvey said...

Jibran,

If you do need to do analysis of these artifacts, let me know what I can do to assist...

JimmyWeg said...

I think that one important reminder is something that Troy pointed out on the forum, when I commented about the "missing" Media Player MRUs. Jump Lists seem to have replaced some of these MRUs. Unless you've become acquainted with Jump Lists, you may take the fact that an MRU is missing for a lack of activity or a custom user config. Considering that Media Player is a factor in most (of my) c-p cases, this aspect of Win 7 forensics is rather significant.

H. Carvey said...

Jimmy,

That comment is much better suited to the Jump List blog posts, but thanks for making it just the same. This is definitely a very important aspect of analysis to keep in mind...thanks.