tag:blogger.com,1999:blog-9518042.post6146450823122636116..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: Sticky Notes AnalysisUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9518042.post-70828712966152770452011-08-29T14:26:52.401-05:002011-08-29T14:26:52.401-05:00Jimmy,
That comment is much better suited to the ...Jimmy,<br /><br />That comment is much better suited to the Jump List blog posts, but thanks for making it just the same. This is definitely a very important aspect of analysis to keep in mind...thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-32096626108150226412011-08-29T13:40:33.544-05:002011-08-29T13:40:33.544-05:00I think that one important reminder is something t...I think that one important reminder is something that Troy pointed out on the forum, when I commented about the "missing" Media Player MRUs. Jump Lists seem to have replaced some of these MRUs. Unless you've become acquainted with Jump Lists, you may take the fact that an MRU is missing for a lack of activity or a custom user config. Considering that Media Player is a factor in most (of my) c-p cases, this aspect of Win 7 forensics is rather significant.JimmyWegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1240002323276013142011-08-28T16:19:49.591-05:002011-08-28T16:19:49.591-05:00Jibran,
If you do need to do analysis of these ar...Jibran,<br /><br />If you do need to do analysis of these artifacts, let me know what I can do to assist...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-21533684728286474292011-08-28T14:44:49.289-05:002011-08-28T14:44:49.289-05:00"However, each individual sticky note is held..."However, each individual sticky note is held in an OLE storage stream, which has creation and modification dates associated with it." Good to hear that!!!<br /><br />"The good news is that the modification time of the Root Entry reflected when the last sticky note was deleted." Nice!<br /><br />Harlan, <br />This is a great write up of Sticky Notes. I have a potential engagement with four Win 7 PCs coming up, I can't wait to do the Jump List and Sticky Note analysis on them.Jibran Ilyashttps://www.blogger.com/profile/17686828289760012026noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89816975159001462772011-08-28T08:17:03.688-05:002011-08-28T08:17:03.688-05:00Joe,
I took another look at your SANS forensic bl...Joe,<br /><br />I took another look at your SANS forensic blog post this morning, and saw that you pointed out some artifacts of interest (ie, searching for ASCII or hex strings). However, "fs22" doesn't really denote "the beginning of each note", although what you find does correlate with the string for the text contained in the note. I do think that this may be useful for carving, if Sticky Notes are an item of interest. <br /><br />Sticky Notes are maintained using the OLE/compound document format, which means that they can be parsed and that a good deal of forensically-useful data (ie, time stamps) can be retrieved.<br /><br />Thanks for your efforts, and for posting your findings.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-36517921945623205262011-08-27T13:41:00.354-05:002011-08-27T13:41:00.354-05:00Sorry, Joe...I hadn't done any sort of literat...Sorry, Joe...I hadn't done any sort of literature search beyond getting the OLE binary file specs before writing my code...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-67924029077097622022011-08-27T13:07:16.705-05:002011-08-27T13:07:16.705-05:00Hey Harlan,
It's good to see that someone els...Hey Harlan,<br /><br />It's good to see that someone else sees potential value in this artifact.<br /><br />I hope that my blog post on the SANS Forensics Blog regarding Sticky Notes (http://computer-forensics.sans.org/blog/2010/10/19/digital-forensics-stuck-stickies-2/) was an inspiration for this :)<br /><br />Joe G.Joe Garciahttp://www.cybercrime101.comnoreply@blogger.com