StickyPraser - Sticky Notes Forensic. A Windows Sticky Notes Praser (snt and plum.sqlite supported). Additional Feature: SQLite Recovery - Deleted content recovery from plum.sqlite or any generic sqlite.
For details on how Sticky Notes work, you could also refer to my write up here : https://dingtoffee.medium.com/windows-sticky-notes-forensics-80ee31ab67ef
Sticky Notes is a feature starting from Windows 7 that allows a user to create sticky notes on their desktop/laptop.
%APPDATA%\Roaming\StickyNotes\StickyNotes.snt
The .snt file is an MS OLE/compound file binary format.
.snt file can be opened and viewed using the MiTEC Structured Storage Viewer or you could also use the parser I created to extract the content. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite-shm
and
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite-wal
Starting from Windows 10 Build 1607, Microsoft has changed the sticky note databse from OLE to sqlite3. In order to view the completed events, it is recommended to roll the transaction logs and events of sqlite-shm and sqlite-wal into sqlite3. You could use any sqlite browser or my script to parse the information out.
For latest version of StickyNote,
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
.For legacy snt format of StickyNote,
C:\Users\User\AppData\Roaming\StickyNotes\
Additional Features:
Support Python Version 3.x only.
Please install the relevant Python modules before running:
pip install pandas olefile
usage: stickyparser.py [-h] [-s [snt file]] [-p [sqlite file]] [-d [File Directory]] [-r [sqlite file]]
StickyParser: Parses sticky note files in legacy snt formats or latest sqlite formats.It can also be used to recover
deleted content inside sqlite. For latest version of StickyNote, please copy everything under the
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbw\LocalState Folder. Run StickyPraser against
the copied folder. Make sure the other files apart from the plum.sqlite are all in the same folder. Once run, WAL/SHM
files will be merged into .sqlite file.
optional arguments:
-h, --help show this help message and exit
-s [snt file] Sticky note .snt file. Example: StickyParser.exe -s C:\Users\User\AppData\Roaming\Sticky
Notes\StickyNotes.snt. Choose either -s or -p only.
-p [sqlite file] Sticky note plum.sqlite file. Example: StickyParse -s <Path>\plum.sqlite. Choose either -s or
-p
-d [File Directory] Specify the directory where the output should write to. Example: StickyParser -p <path> -d
C:\Users\User\Desktop\
-r [sqlite file] To recover deleted content from sqlite.
python stickyparser.py -s "C:\Users\User\AppData\Roaming\StickyNotes\StickyNotes.snt" -d C:\temp
python stickyparser.py -p %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite -d C:\temp
python stickyparser.py -r %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite -d C:\temp
SNT Paser Output Plum Sqlite Paser Output