Raise your hand if you've responded to a crime scene and had a suspect computer possibly involved in the crime. How many of you have responded to an incident where a victim's computer may have been compromised and needs to be analyzed but the victim is not available for questioning regarding user account information and passwords? How many of you have been taught, told or learned through experience to look for sticky notes attached to a monitor, on a computer tower case or even taped to the bottom of a keyboard?
The answer is probably most of you reading this. How many of you actually thought to look for the sticky notes of the digital variety? If you are organized, a neat freak or OCD like me, you hate a cluttered desk space. If that is the case, you have probably gone paperless. You scan your desk for whatever little bits of tree pulp may cross your gaze, sticky notes included. I (and many others) don't use physical sticky notes anymore, having switched to computer applications to replace them.
This post will be covering Stickies on Mac OS X, Tomboy on Linux (specifically, Ubuntu) and Sticky Notes on Windows 7. These applications come installed by default on their respective operating systems/distributions. With that being said, let's start with Mac OS X's Sticky Notes app.
The Stickies Database is an archived object file that is only created if the Stickies application has been opened previously. Meaning, if your suspect has not used the Stickies application, there will be no StickiesDatabase file. You will find in the database file for Stickies in the HDD\Users\username\Library directory labeled "StickiesDatabase". I have created a test sticky note for the purpose of this post:
You can export this file out of your image and open it in the text editor of your choice. If you search the open file using "FS24" as the search term, it will bring you to the beginning of each individual note where you can then read the contents of each note.
Alternatively, if you open this file in a Hex Editor, do a search for hex 66 73 32 34 to bring you to the beginning of each note.
Once a Sticky is deleted, it is removed from the StickiesDatabase file. Only active notes are contained in this file. From my testing it appears that when a note is added or deleted, a change is immediately made to the StickiesDatabase file.
Over to Tomboy. Tomboy is the default "Sticky Note" app installed with Ubuntu. I did not have time to check all of the default installs for other Linux Distros to see if they included Tomboy or another "Sticky Note" application. If you know of any, feel free to add a comment below. This is what Tomboy looks like when you open it from the applications menu:
Here is what an open note looks like:
You will find active Tomboy sticky notes in: Home/username/.local/share/tomboy
You will see that there is a separate .note file for each active Tomboy sticky note:
Like the Mac Stickies notes, you can open a .note file in the text editor of your choice. Unlike the Mac Stickies notes though, you will find the creation date, time and timezone for each note. You will also find the last date, time and timezone the Tomboy note was last changed under :
Another difference between Stickies and Tomboy, is that Tomboy archives deleted notes. These are stored in Home/username/.local/share/tomboy/Backup. If you look at the first Tomboy screenshot I posted above, you will not find a note that I created then deleted to test this:
.jpg)
Also if you open a Tomboy note in a Hex Editor, do a Hex search for 74 69 74 6C 65, that will bring you to the "title" of that note where you can then scroll through to look at the content.
Last, but not least......Windows 7.
As of Windows Vista (which I did not have a copy to test with for this post), Microsoft began to include a Sticky Notes program within the operating system. This has carried over to Windows 7.
.jpg)
To locate the StickyNotes.snt file go to the following directory: \Users\AppData\Roaming\Microsoft\Sticky Notes
.jpg)
Like the Mac StickiesDatabase and the Tomboy .note files, you can open this file with your favorite text editor:
.jpg)
You can do a text search for "fs22" in your text editor and that will bring you to the beginning of each note. Alternatively, if you open the file in a Hex Editor you can search for Hex 66 73 32 32 to do the same:
One thing to make note of (pun intended), is that if a note is deleted but the suspect does not subsequently create a new note, the contents of the deleted note will remain in the StickyNotes.snt file. It is only after creating a new note that the contents of the old note are overwritten in the .snt file
Hopefully, this post has unlocked another potential treasure trove of evidence that you will come across during a triage or an examination.
Joe Garcia is a Law Enforcement Officer with over 16 years of experience, the last 4 of which he has been assigned to conduct computer crime investigations and digital forensic examinations. He holds the GIAC GSEC Gold and GCIH Silver as well as the AccessData ACE certifications (and hopefully the GCFE and GCFA in the future). You can follow Joe on Twitter at @jgarcia62. Joe is also the host of the Cyber Crime 101 podcast, which can be found at www.cybercrime101.com and @cybercrime101 on Twitter.
.png "Anastasia Sentsova")
