Windows Sticky Notes Forensics
Have you ever responded to an incident where you are required to look for sticky notes attached to your computer? Limited documentation was maintained for Windows Sticky Notes artifacts. This post will be covering how you can retrieve the content of Windows Sticky Notes and potentially recovering deleted contents of it.
Sticky Notes is a feature starting from Windows 7 that allows a user to create sticky notes on their desktop/laptop.
Legacy Sticky Note Format
Available Windows Version: Windows 7 to Windows 10 (before build 1607)
Location: %APPDATA%\Roaming\StickyNotes\StickyNotes.snt
The .snt file is an MS OLE/compound file binary format. .snt file can be opened and viewed using the MiTEC Structured Storage Viewer or you could also use the parser I created to extract the content. It helps to extract the id, text, creation timestamp and modification timestamp of entries stored in the snt file.
Win10 Sticky Note Format
Available Windows Version: Windows 10 (After build 1607)
Location:%LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
Transaction Log and Events : %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite-shm
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite-wal
Starting from Windows 10 Build 1607, Microsoft has changed the sticky note databse from OLE to sqlite3. In order to view the completed events, it is recommended to roll the transaction logs and events of sqlite-shm and sqlite-wal into sqlite3. You could use any sqlite browser or my script to parse the information out. It will create a CSV automatically for you.
To check the content of StickyNote — always go to the “Note” table of plum.sqlite. Fields of interest:
- Text — Text created on each sticky note;
- WindowPosition — the position sticky note should be presented at your screen
- IsOpen — whether the StickyNote was opened
- Theme — Color of the sticky note
- LastServerVersion — Last version stored on your Microsoft Account
- Id — ID of the sticky note
- CreatedAt, DeletedAt, UpdatedAt — The creation, deletion and update timestamp
Microsoft Account Synchronization
Initially, when I started my research, I am very confused with how data is stored onto plum.sqlite. Windows Sticky Notes allows users to synchronize their notes to Microsoft account. If you enable this feature, the plum.sqlite will also cache the last cloud version in the field “LastServerVersion” under “Note” table. The timestamps inside this field “LastServerVersion” represent the time stored into your Microsoft account NOT the time this sticky note was created ON YOUR COMPUTER. Please be cautious not to mess up the timestamp.
If you want to know the timestamp that each sticky note is created, always refer to the “CreatedAt”, “UpdatedAt” and “DeletedAt” fields. The timestamp is presented in Windows Tick Format. You could convert the timestamp using tools like DCode. In the script I created, I added a function to convert the timestamp into UTC, it will also automatically parse all the information under “Note” table into a csv file.
Recovering deleted entries via SQLite carving
Since Windows Sticky Note has changed its format to SQLite, it makes things easier to carve deleted entries out. aramosf made a very good script in recovering deleted entries in SQLite. I have modified his scripts a bit to make it Python3 compatible. You could also use the script I created to recover deleted data from the plum.sqlite.
