发布于 05 Oct 2014 10:42
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Sticky Notes\StickNotes.snt


Sticky Notes
Sticky Notes are a feature of Windows 7 that allows a user to create sticky notes on their desktop. The functionality of this feature is somewhat limited, in that the user can change the text, font, color, location and size of the sticky notes, but not much else.

Sticky Notes are maintained in a single file (stickynotes.snt) located in the user's profile ("%UserProfile%\AppData\Roaming\Microsoft\Sticky Notes"). This file is based on the MS OLE/compound file binary format. The .snt file can be opened and viewed using the MiTec Structured Storage Viewer.

When sticky notes files are created, an OLE storage stream using a name similar to "e3a17883-cfd8-11e0-8" is added to the stickynotes.snt file. Each storage stream has three file streams associated with it, and for all sticky notes, they are named 0, 1, and 3. The 0 stream contains the rich text format (RTF) "document" for the sticky note, and the 3 stream contains the actual text of the sticky note, in Unicode format.

The forensic value of Sticky Notes has yet to be determined or demonstrated. The Root Entry of the OLE format file will have a modification time associated with it, and each of the storage streams the contain the sticky notes will have creation and modification times (M and B of the MACB times) associated with them. These times are maintained in the FILETIME format, and can be included in a timeline of system activity in order to demonstrate user activity on the system.

When sticky notes are deleted, the storage streams associated with those notes are removed from the stickynotes.snt file; however, the Version and Metafile streams remain. The Metafile stream format is not documented at this time; however, this stream appears to contain references to the names of the storage streams that contain the sticky notes.

Tools that can be used to parse and view the contents of Sticky Notes files include (but are not limited to):

MiTeC Structured Storage Viewer

Sticky Notes Parser (found at this Google Code site; Win32 binary command line tool, all times are displayed in UTC format. Output formats include a listing of the available notes, CSV, and TLN format (for inclusion in a timeline). Also displays the modification time of the Root Entry.


本页面的文字允许在知识共享 署名-相同方式共享 3.0协议和GNU自由文档许可证下修改和再使用,仅有一个特殊要求,请用链接方式注明文章引用出处及作者。请协助维护作者合法权益。



