Individual sticky notes for desktop windows 7#
I don't see Sticky Notes and Jump Lists being picked up as part of Windows 7 analysis processes any time soon, as analysts really don't seem to be seeing either of these as valuable forensic resources.yet. That's where programming (Perl) comes into play. Extracting the "B" (creation) and "M" (modification) times, we can add this information to a timeline in order to demonstrate shell-based access to the system by a specific user.Īgain, the usefulness of this information is predicated on the actual use of Sticky Notes, but automating the collection of this information allows us to quickly add context to a timeline with minimal effort. Now, because the storage streams for each sticky note have creation and modification dates, we can use this information in timeline analysis to demonstrate user activity during specific time frames. In each case, the "0" stream contains the complete RTF "document" for the sticky note (which can be extracted and opened in WordPad), and the "3" stream contains the text of the sticky note, in Unicode format. Opening the Sticky Notes file in MiTeC's Structured Storage Viewer, you can see that the file has several streams Version, Metafile, as well as the storage streams (i.e., folders with 17 character names) that each "contain" streams named 0, 1, and 3. However, each individual sticky note is held in an OLE storage stream, which has creation and modification dates associated with it. Remember that all sticky notes appear in one file, so the file system MACB times apply to the file as a whole.
Based on the format used, there is additional information available. As far as visible content, we may not really get an idea of what's there until we start to see them used by the user.
For example, it's possible that a user may have sticky notes that contain information regarding people they know (contacts), appointments or meetings that they may have, etc. So what is the potential forensic value of sticky notes? Well, it kind of depends on your case, what you're looking for, what you're trying to show, etc.
0 kommentar(er)
