Artifacts

Posts Tagged ‘sticky’


Tomboy Notes (Ubuntu)

Posted by:  /  Tags: , , ,

Author Name
Joe Garcia

Artifact Name
Tomboy .note file

Artifact/Program Version
Ubuntu (Tested on 10.04, Lucid Lynx)

Description
Tomboy is the default “Sticky Note” application installed with Ubuntu. You can find active Tomboy notes in Home/username/.local/share/tomboy. The main difference between say, Mac OS X Stickies/Windows Vista/7 sticky notes and Tomboy, is that Tomboy will archive deleted notes in Home/username/.local/share/tomboy/Backup. These .note files can be read with any text editor.









File Locations
Active Tomboy Notes: Home/username/.local/share/tomboy
Deleted Tomboy Notes: Home/username/.local/share/tomboy/Backup

Research Links
Ubuntu Linux Distribution: http://www.ubuntu.com/
Tomboy Homepage: http://projects.gnome.org/tomboy/

Forensic Programs of Use
Gedit (Text Editor): http://projects.gnome.org/gedit/
(Any Text or Hex Editor will work though)

Other Info
Make sure to check out my SANS Forensics & Incident Response Blog post regarding these and other “Sticky Notes” applications here.

Stickies (Mac)

Posted by:  /  Tags: , , ,  /  Comments: 1

Author Name
Joe Garcia

Artifact Name
StickiesDatabase

Artifact/Program Version
Stickies on Mac OS X

Description
Stickies is a “sticky note” application that is installed by default on Mac OS X. This could be a potential source of information during a digital forensics examination. Think of the information that people leave on physical sticky notes around their desks and on their computers. Why should the digital ones be any different. You can use any Text Editor to parse the data included in this file. Once a new sticky is created or a previous one deleted, the StickiesDatabase file is immediately written to. There is no need for reboot for changes to take effect.









Directory/File Location
Macintosh HDD\Users\username\Library\StickiesDatabase

Forensic Programs of Use
TextEdit (Mac Text Editor)
OxED Hex Editor (Mac Application): http://www.suavetech.com/0xed/0xed.html

Other Info
Check out my SANS Forensics & Incident Response Blog post for more information: