SlideShare a Scribd company logo

Evernote Touch App Artifact Report

Aziz Sasmaz
Aziz Sasmaz

An artifact analysis for Evernote Touch App. for forensics investigations

Software
1 of 7
Download to read offline
Evernote Touch Artifact Report By AZIZ SASMAZ
Introduction Evernote Touch can be downloaded from Windows store. It uses sqlite database to store information. It also uses a log file to store important events such as when the notes created, which attachments were saved and where they were saved, and many other evernote system logs. Artifact Structure Evernote touch app uses an sqlite database named Evernote.db A logfile is created as YYMMDD.log Evernote.db consists of the below tables; LinkedNotebook, Note, NoteTag, Notebook, Preferences, PreferencesValue, RecentSearch, RecentSearchToNote, ReplaceGuids, Resource, SavedSearch, SavedSearchToNote, SyncFail, SyncStatus,Tag Example: Example Note table: Guid 5217047a-6bd3-44c7-ba0e-47e2cdd19a9e Title Secret certificates ContentHash binary ContentLength 676 Created 1463946090000 Updated 1463946140000 Deleted 1462971847000 Expunged 0 UpdateSequenceNumber 16 Notebookguid 137225e6-8446-40d0-9199-6f58174218dc subjectDate 0 Latitude 0.0 Longtitude 0.0 Altitude 0.0 Author Source SourceApplication Dirty 0 City Country
ContentDownload 1 ThumbnailDownloaded Snippet About the stolen certificates. This is not good. SourceURL TaskDate TaskCompleteDate TaskDueDate PlaceName ContentClass LinkedNotebookGuid PinProminence ReminderDoneTime 0 ReminderOrder 0 NoteTitleQuality 0 An example Log file 2016.05.23.txt 5/23/2016 11:21:35 AM: Main(8) Error Evernote.Services.AppCustom.LoadcustomData C:Program FilesWindowsAppsEvernote.Evernote_3.3.0.102_x86__q4d96b2w5wcc2 5/23/2016 11:21:35 AM: Main(7) FunctionInfo EvernoteShared.Engine.Synchronizer.RequestSynchronize Requested 5/23/2016 11:21:35 AM: Main(7) MethodCall EvernoteShared.Engine.Synchronizer.Synchronize Start 5/23/2016 11:21:35 AM: Main(5) FunctionInfo EvernoteShared.Store.NotebookAndStackList.LoadNotebooks 5/23/2016 11:21:35 AM: Main(5) FunctionInfo EvernoteShared.Store.NotebookAndStackList.RebuildItemsList 5/23/2016 11:21:35 AM: Main(e) FunctionInfo EvernoteShared.Store.NotebookAndStackList.BuildNotebooks 5/23/2016 11:21:36 AM: Main(5) FunctionInfo EvernoteShared.Engine.Synchronizer.ShouldSkipChunks Should skip 5/23/2016 11:21:36 AM: Main(e) FunctionInfo EvernoteShared.Engine.Synchronizer.SendChanges Sync sending changes ... 5/23/2016 11:21:36 AM: Main(e) FunctionInfo EvernoteShared.Engine.Synchronizer.SendChanges Sync finished sending changes ... 5/23/2016 11:21:41 AM: Main(5) MethodCall Evernote.Views.NoteView.SetBrowserSource Invoked 5/23/2016 11:21:41 AM: Main(5) FunctionInfo Evernote.Views.NoteView.SetBrowserSource HtmlPath is Evernote_0.001_142137710Note11c4f8b402-5e3b-44cd-8a55-27004902c87f.html 5/23/2016 11:21:41 AM: Main(5) FunctionInfo Evernote.Views.NoteView.WebBrowserNavigating NoteView setting browser source to /local/Evernote_0.001_142137710/Note/11/c4f8b402-5e3b-44cd-8a55-27004902c87f.html 5/23/2016 11:21:41 AM: Main(7) MethodCall Evernote.Views.NoteView.SaveNoteChanges Note Title: Evernote notlari Note Guid: c4f8b402-5e3b-44cd-8a55-27004902c87f 5/23/2016 11:21:41 AM: Main(e) FunctionInfo Evernote.Views.NoteView.SetBrowserSource fileContentHash: 40d368a558ca6737e3801206134c3a8c _fileContentHash: isNeedRefreshHtml: False 5/23/2016 11:21:41 AM: Main(e) MethodCall EvernoteShared.ViewModels.EditNoteViewModel.TransformToHtml Content size is 676 5/23/2016 11:21:41 AM: Main(7) MethodCall Evernote.Views.NoteView.GetHtmlContent GetHtmlContent ...
5/23/2016 11:21:41 AM: Main(e) MethodCall EvernoteShared.ViewModels.EditNoteViewModel.GetInputText GetInputText ... 5/23/2016 11:21:41 AM: Main(7) FunctionInfo EvernoteShared.ViewModels.EditNoteViewModel.GetInputText text: <div><br></div><div>Onemli dosyalar</div><div>always goes to the same place</div><div><br></div><div>Put all your belongins to the desk</div><div>C:Usersasamazsecret</div><div><br></div><div>military files</div><div>C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2 w5wcc2LocalStateEvernote_0.001_142137710Index</div><div><br></div><div><br></ div><div><br></div> 5/23/2016 11:21:42 AM: Main(5) FunctionInfo EvernoteShared.ViewModels.EditNoteViewModel.TransformToHtml EditableResources.Count: 0 Software Version: Windows 10 Home, Version 1511, OS build 10586.104, Evernote Touch 3.3.0.2 for windows store Artifact location: SQLite: C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalStat eEvernote_0.001_142137710Index Log Files: C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalStat eLogs HTML Files: C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalStat eEvernote_0.001_142137710Note Attachments in the Notes: C:UsersasamazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalState Evernote_0.001_142137710Resource Tools used in Analysis: Text Editor: NotePad or TextPad SQLite Browser: SqLite Database Browser Portable Important Attributes: We will discuss the most important tables here such as Note, Resource, SyncStatus, Tag. The main table for the notes are Note.
Table Note: Name Description Type Guid This is a unique identifier uniqueidentifier Title Title of the Note nvarchar ContentHash Hash of the note binary ContentLength Length of the note int Created when the note created bigint Updated Last updated time of the note bigint Deleted when the note deleted bigint Expunged when the note permanantly removed? bigint Active Is the note active or deleted? bit UpdateSequenceNumber int Notebookguid uniqueidentifier subjectDate bigint Latitude Latitude where the user created the note float Longtitude Longtitude where the user created the note float Altitude Altitude where the user created the note float Author nvarchar Source nvarchar SourceApplication nvarchar Dirty bit City nvarchar Country nvarchar ContentDownload bit ThumbnailDownloaded bit Snippet nvarchar SourceURL nvarchar TaskDate bigint TaskCompleteDate bigint TaskDueDate bigint PlaceName nvarchar ContentClass nvarchar LinkedNotebookGuid uniqueidentifier PinProminence bigint ReminderTime Reminder time if the note is a reminder bigint ReminderDoneTime bigint ReminderOrder bigint NoteTitleQuality int Table Resource: Name Description Type
Guid unique identifier uniqueidentifier NoteGuid uniqueidentifier Mime Mime type of attached file nvarchar Width width of the file if image smallint Height height of the file if image smallint UpdateSequenceNum int Timestamp timestamp of the attachment bigint Latitude float Longitude float Altitude float CameraMake Camera model of the attached image nvarchar CameraModel nvarchar ClientWillIndex bit FileName Filename of the attached file nvarchar Attachment If it's attachment bit RecognitionBodyHash binary DataBodyHash binary DataSize int SourceUrl nvarchar PostItColor nvarchar HandwritingVersion int Table Sync Status: LastUpdateCount int InitialSyncInProgress bit LastSyncTime bigint Table Tag: Guid uniqueidentifier Name nvarchar ParentGuid uniqueidentifier UpdateSequenceNumint Dirty bit Depth int OrderInHierarchy int LinkedNotebookGuid uniqueidentifier Deleted bigint Date Attributes In SQLite database, we can find created, updated, deleted, expunged times of the notes in the Note table as epoch time format. In the Resource table we can find the attached time of the file in epoch time format either.
The date attributes can be found in the log files located under C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2Loc alStateLogs directory as localtime. Investigation Scenario: Alice has accused of killing a man with a poison. The court has not so many evidence supporting the case. But the judge thinks it could be a very well planned crime and thinks maybe some kind of notes are taken. You are a computer forensics investigator and have been asked the following to support the case:  Are there any notes related to poisons and how to make one?  Are there any notes related to the man?  When the notes were created?

Recommended

Softshake - Offline applications
Softshake - Offline applicationsSoftshake - Offline applications
Softshake - Offline applicationsjeromevdl
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Beyond the page
Beyond the pageBeyond the page
Beyond the pageGlenn Jones
 
Waffle at NYCJavaSig
Waffle at NYCJavaSigWaffle at NYCJavaSig
Waffle at NYCJavaSigDaniel Doubrovkine
 
Creating, Updating and Deleting Document in MongoDB
Creating, Updating and Deleting Document in MongoDBCreating, Updating and Deleting Document in MongoDB
Creating, Updating and Deleting Document in MongoDBWildan Maulana
 
Redis data modeling examples
Redis data modeling examplesRedis data modeling examples
Redis data modeling examplesTerry Cho
 
Starting with MongoDB
Starting with MongoDBStarting with MongoDB
Starting with MongoDBDoThinger
 
Kicking ass with redis
Kicking ass with redisKicking ass with redis
Kicking ass with redisDvir Volk
 

Recommended

Softshake - Offline applications
Softshake - Offline applicationsSoftshake - Offline applications
Softshake - Offline applicationsjeromevdl
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Beyond the page
Beyond the pageBeyond the page
Beyond the pageGlenn Jones
 
Waffle at NYCJavaSig
Waffle at NYCJavaSigWaffle at NYCJavaSig
Waffle at NYCJavaSigDaniel Doubrovkine
 
Creating, Updating and Deleting Document in MongoDB
Creating, Updating and Deleting Document in MongoDBCreating, Updating and Deleting Document in MongoDB
Creating, Updating and Deleting Document in MongoDBWildan Maulana
 
Redis data modeling examples
Redis data modeling examplesRedis data modeling examples
Redis data modeling examplesTerry Cho
 
Starting with MongoDB
Starting with MongoDBStarting with MongoDB
Starting with MongoDBDoThinger
 
Kicking ass with redis
Kicking ass with redisKicking ass with redis
Kicking ass with redisDvir Volk
 
An introduction to CouchDB
An introduction to CouchDBAn introduction to CouchDB
An introduction to CouchDBDavid Coallier
 
10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators 10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators iammutex
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
HeadCouch - CouchDB PHP Client
HeadCouch - CouchDB PHP ClientHeadCouch - CouchDB PHP Client
HeadCouch - CouchDB PHP ClientDimitar Ivanov
 
Intro To Couch Db
Intro To Couch DbIntro To Couch Db
Intro To Couch DbShahar Evron
 
Advanced Redis data structures
Advanced Redis data structuresAdvanced Redis data structures
Advanced Redis data structuresamix3k
 
Working with Cookies in NodeJS
Working with Cookies in NodeJSWorking with Cookies in NodeJS
Working with Cookies in NodeJSJay Dihenkar
 
From hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatilityFrom hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatilityChristiaan Beek
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Superficial mongo db
Superficial mongo dbSuperficial mongo db
Superficial mongo dbDaeMyung Kang
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance TuningMongoDB
 
Redis basics
Redis basicsRedis basics
Redis basicsArthur Shvetsov
 
Mongodb replication
Mongodb replicationMongodb replication
Mongodb replicationPoguttuezhiniVP
 
QC EAD 11-07-12
QC EAD 11-07-12QC EAD 11-07-12
QC EAD 11-07-12Kevin Schlottmann
 
Brief introduction of Slick
Brief introduction of SlickBrief introduction of Slick
Brief introduction of SlickKnoldus Inc.
 
Everything you need to know about
Everything you need to know about Everything you need to know about
Everything you need to know about RyussiTech
 
MongoDB-SESSION03
MongoDB-SESSION03MongoDB-SESSION03
MongoDB-SESSION03Jainul Musani
 
introtomongodb
introtomongodbintrotomongodb
introtomongodbsaikiran
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLHoracio Gonzalez
 
DDD, CQRS, ES lessons learned
DDD, CQRS, ES lessons learnedDDD, CQRS, ES lessons learned
DDD, CQRS, ES lessons learnedQframe
 
Logging for Production Systems in The Container Era
Logging for Production Systems in The Container EraLogging for Production Systems in The Container Era
Logging for Production Systems in The Container EraSadayuki Furuhashi
 

More Related Content

What's hot

An introduction to CouchDB
An introduction to CouchDBAn introduction to CouchDB
An introduction to CouchDBDavid Coallier
 
10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators 10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators iammutex
 
HeadCouch - CouchDB PHP Client
HeadCouch - CouchDB PHP ClientHeadCouch - CouchDB PHP Client
HeadCouch - CouchDB PHP ClientDimitar Ivanov
 
Advanced Redis data structures
Advanced Redis data structuresAdvanced Redis data structures
Advanced Redis data structuresamix3k
 
Working with Cookies in NodeJS
Working with Cookies in NodeJSWorking with Cookies in NodeJS
Working with Cookies in NodeJSJay Dihenkar
 
From hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatilityFrom hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatilityChristiaan Beek
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Superficial mongo db
Superficial mongo dbSuperficial mongo db
Superficial mongo dbDaeMyung Kang
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance TuningMongoDB
 
Brief introduction of Slick
Brief introduction of SlickBrief introduction of Slick
Brief introduction of SlickKnoldus Inc.
 
Everything you need to know about
Everything you need to know about Everything you need to know about
Everything you need to know about RyussiTech
 
introtomongodb
introtomongodbintrotomongodb
introtomongodbsaikiran
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLHoracio Gonzalez
 

What's hot (20)

An introduction to CouchDB
An introduction to CouchDBAn introduction to CouchDB
An introduction to CouchDB
 
10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators 10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
 
HeadCouch - CouchDB PHP Client
HeadCouch - CouchDB PHP ClientHeadCouch - CouchDB PHP Client
HeadCouch - CouchDB PHP Client
 
Intro To Couch Db
Intro To Couch DbIntro To Couch Db
Intro To Couch Db
 
Advanced Redis data structures
Advanced Redis data structuresAdvanced Redis data structures
Advanced Redis data structures
 
Working with Cookies in NodeJS
Working with Cookies in NodeJSWorking with Cookies in NodeJS
Working with Cookies in NodeJS
 
From hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatilityFrom hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatility
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
 
Superficial mongo db
Superficial mongo dbSuperficial mongo db
Superficial mongo db
 
MongoDB Performance Tuning
MongoDB Performance TuningMongoDB Performance Tuning
MongoDB Performance Tuning
 
Redis basics
Redis basicsRedis basics
Redis basics
 
Mongodb replication
Mongodb replicationMongodb replication
Mongodb replication
 
QC EAD 11-07-12
QC EAD 11-07-12QC EAD 11-07-12
QC EAD 11-07-12
 
Brief introduction of Slick
Brief introduction of SlickBrief introduction of Slick
Brief introduction of Slick
 
Everything you need to know about
Everything you need to know about Everything you need to know about
Everything you need to know about
 
MongoDB-SESSION03
MongoDB-SESSION03MongoDB-SESSION03
MongoDB-SESSION03
 
introtomongodb
introtomongodbintrotomongodb
introtomongodb
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQLENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
ENIB 2015-2016 - CAI Web - S01E01- MongoDB and NoSQL
 

Similar to Evernote Touch App Artifact Report

DDD, CQRS, ES lessons learned
DDD, CQRS, ES lessons learnedDDD, CQRS, ES lessons learned
DDD, CQRS, ES lessons learnedQframe
 
Logging for Production Systems in The Container Era
Logging for Production Systems in The Container EraLogging for Production Systems in The Container Era
Logging for Production Systems in The Container EraSadayuki Furuhashi
 
Capture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninjaCapture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninjaVito Flavio Lorusso
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Dev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDBDev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDBMongoDB
 
Meetup Performance
Meetup PerformanceMeetup Performance
Meetup PerformanceGreg Whalin
 
Design Systems, Pattern Libraries & WordPress
Design Systems, Pattern Libraries & WordPressDesign Systems, Pattern Libraries & WordPress
Design Systems, Pattern Libraries & WordPressJesse James Arnold
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixManish Pandit
 
12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocratlinoj
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overviewodanyboy
 
07 response-headers
07 response-headers07 response-headers
07 response-headershanichandra
 
Bareos - Open Source Data Protection, by Philipp Storz
Bareos - Open Source Data Protection, by Philipp StorzBareos - Open Source Data Protection, by Philipp Storz
Bareos - Open Source Data Protection, by Philipp StorzNETWAYS
 
What is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.xWhat is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.xUlrich Krause
 

Similar to Evernote Touch App Artifact Report (20)

DDD, CQRS, ES lessons learned
DDD, CQRS, ES lessons learnedDDD, CQRS, ES lessons learned
DDD, CQRS, ES lessons learned
 
Logging for Production Systems in The Container Era
Logging for Production Systems in The Container EraLogging for Production Systems in The Container Era
Logging for Production Systems in The Container Era
 
Capture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninjaCapture, record, clip, embed and play, search: video from newbie to ninja
Capture, record, clip, embed and play, search: video from newbie to ninja
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
HTML5
HTML5 HTML5
HTML5
 
HTML5
HTML5HTML5
HTML5
 
Exploring Node.jS
Exploring Node.jSExploring Node.jS
Exploring Node.jS
 
Dev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDBDev Jumpstart: Build Your First App with MongoDB
Dev Jumpstart: Build Your First App with MongoDB
 
Meetup Performance
Meetup PerformanceMeetup Performance
Meetup Performance
 
Meetup Performance
Meetup PerformanceMeetup Performance
Meetup Performance
 
Design Systems, Pattern Libraries & WordPress
Design Systems, Pattern Libraries & WordPressDesign Systems, Pattern Libraries & WordPress
Design Systems, Pattern Libraries & WordPress
 
Spug pt session2 - debuggingl
Spug pt session2 - debugginglSpug pt session2 - debuggingl
Spug pt session2 - debuggingl
 
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at NetflixOSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
OSCON 2014 - API Ecosystem with Scala, Scalatra, and Swagger at Netflix
 
12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat12 core technologies you should learn, love, and hate to be a 'real' technocrat
12 core technologies you should learn, love, and hate to be a 'real' technocrat
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overview
 
Book
BookBook
Book
 
07 response-headers
07 response-headers07 response-headers
07 response-headers
 
Bareos - Open Source Data Protection, by Philipp Storz
Bareos - Open Source Data Protection, by Philipp StorzBareos - Open Source Data Protection, by Philipp Storz
Bareos - Open Source Data Protection, by Philipp Storz
 
What is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.xWhat is new in Notes & Domino Deleopment V10.x
What is new in Notes & Domino Deleopment V10.x
 
Local Storage
Local StorageLocal Storage
Local Storage
 

Recently uploaded

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 

Recently uploaded (20)

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 

Evernote Touch App Artifact Report

  • 1. Evernote Touch Artifact Report By AZIZ SASMAZ
  • 2. Introduction Evernote Touch can be downloaded from Windows store. It uses sqlite database to store information. It also uses a log file to store important events such as when the notes created, which attachments were saved and where they were saved, and many other evernote system logs. Artifact Structure Evernote touch app uses an sqlite database named Evernote.db A logfile is created as YYMMDD.log Evernote.db consists of the below tables; LinkedNotebook, Note, NoteTag, Notebook, Preferences, PreferencesValue, RecentSearch, RecentSearchToNote, ReplaceGuids, Resource, SavedSearch, SavedSearchToNote, SyncFail, SyncStatus,Tag Example: Example Note table: Guid 5217047a-6bd3-44c7-ba0e-47e2cdd19a9e Title Secret certificates ContentHash binary ContentLength 676 Created 1463946090000 Updated 1463946140000 Deleted 1462971847000 Expunged 0 UpdateSequenceNumber 16 Notebookguid 137225e6-8446-40d0-9199-6f58174218dc subjectDate 0 Latitude 0.0 Longtitude 0.0 Altitude 0.0 Author Source SourceApplication Dirty 0 City Country
  • 3. ContentDownload 1 ThumbnailDownloaded Snippet About the stolen certificates. This is not good. SourceURL TaskDate TaskCompleteDate TaskDueDate PlaceName ContentClass LinkedNotebookGuid PinProminence ReminderDoneTime 0 ReminderOrder 0 NoteTitleQuality 0 An example Log file 2016.05.23.txt 5/23/2016 11:21:35 AM: Main(8) Error Evernote.Services.AppCustom.LoadcustomData C:Program FilesWindowsAppsEvernote.Evernote_3.3.0.102_x86__q4d96b2w5wcc2 5/23/2016 11:21:35 AM: Main(7) FunctionInfo EvernoteShared.Engine.Synchronizer.RequestSynchronize Requested 5/23/2016 11:21:35 AM: Main(7) MethodCall EvernoteShared.Engine.Synchronizer.Synchronize Start 5/23/2016 11:21:35 AM: Main(5) FunctionInfo EvernoteShared.Store.NotebookAndStackList.LoadNotebooks 5/23/2016 11:21:35 AM: Main(5) FunctionInfo EvernoteShared.Store.NotebookAndStackList.RebuildItemsList 5/23/2016 11:21:35 AM: Main(e) FunctionInfo EvernoteShared.Store.NotebookAndStackList.BuildNotebooks 5/23/2016 11:21:36 AM: Main(5) FunctionInfo EvernoteShared.Engine.Synchronizer.ShouldSkipChunks Should skip 5/23/2016 11:21:36 AM: Main(e) FunctionInfo EvernoteShared.Engine.Synchronizer.SendChanges Sync sending changes ... 5/23/2016 11:21:36 AM: Main(e) FunctionInfo EvernoteShared.Engine.Synchronizer.SendChanges Sync finished sending changes ... 5/23/2016 11:21:41 AM: Main(5) MethodCall Evernote.Views.NoteView.SetBrowserSource Invoked 5/23/2016 11:21:41 AM: Main(5) FunctionInfo Evernote.Views.NoteView.SetBrowserSource HtmlPath is Evernote_0.001_142137710Note11c4f8b402-5e3b-44cd-8a55-27004902c87f.html 5/23/2016 11:21:41 AM: Main(5) FunctionInfo Evernote.Views.NoteView.WebBrowserNavigating NoteView setting browser source to /local/Evernote_0.001_142137710/Note/11/c4f8b402-5e3b-44cd-8a55-27004902c87f.html 5/23/2016 11:21:41 AM: Main(7) MethodCall Evernote.Views.NoteView.SaveNoteChanges Note Title: Evernote notlari Note Guid: c4f8b402-5e3b-44cd-8a55-27004902c87f 5/23/2016 11:21:41 AM: Main(e) FunctionInfo Evernote.Views.NoteView.SetBrowserSource fileContentHash: 40d368a558ca6737e3801206134c3a8c _fileContentHash: isNeedRefreshHtml: False 5/23/2016 11:21:41 AM: Main(e) MethodCall EvernoteShared.ViewModels.EditNoteViewModel.TransformToHtml Content size is 676 5/23/2016 11:21:41 AM: Main(7) MethodCall Evernote.Views.NoteView.GetHtmlContent GetHtmlContent ...
  • 4. 5/23/2016 11:21:41 AM: Main(e) MethodCall EvernoteShared.ViewModels.EditNoteViewModel.GetInputText GetInputText ... 5/23/2016 11:21:41 AM: Main(7) FunctionInfo EvernoteShared.ViewModels.EditNoteViewModel.GetInputText text: <div><br></div><div>Onemli dosyalar</div><div>always goes to the same place</div><div><br></div><div>Put all your belongins to the desk</div><div>C:Usersasamazsecret</div><div><br></div><div>military files</div><div>C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2 w5wcc2LocalStateEvernote_0.001_142137710Index</div><div><br></div><div><br></ div><div><br></div> 5/23/2016 11:21:42 AM: Main(5) FunctionInfo EvernoteShared.ViewModels.EditNoteViewModel.TransformToHtml EditableResources.Count: 0 Software Version: Windows 10 Home, Version 1511, OS build 10586.104, Evernote Touch 3.3.0.2 for windows store Artifact location: SQLite: C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalStat eEvernote_0.001_142137710Index Log Files: C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalStat eLogs HTML Files: C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalStat eEvernote_0.001_142137710Note Attachments in the Notes: C:UsersasamazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2LocalState Evernote_0.001_142137710Resource Tools used in Analysis: Text Editor: NotePad or TextPad SQLite Browser: SqLite Database Browser Portable Important Attributes: We will discuss the most important tables here such as Note, Resource, SyncStatus, Tag. The main table for the notes are Note.
  • 5. Table Note: Name Description Type Guid This is a unique identifier uniqueidentifier Title Title of the Note nvarchar ContentHash Hash of the note binary ContentLength Length of the note int Created when the note created bigint Updated Last updated time of the note bigint Deleted when the note deleted bigint Expunged when the note permanantly removed? bigint Active Is the note active or deleted? bit UpdateSequenceNumber int Notebookguid uniqueidentifier subjectDate bigint Latitude Latitude where the user created the note float Longtitude Longtitude where the user created the note float Altitude Altitude where the user created the note float Author nvarchar Source nvarchar SourceApplication nvarchar Dirty bit City nvarchar Country nvarchar ContentDownload bit ThumbnailDownloaded bit Snippet nvarchar SourceURL nvarchar TaskDate bigint TaskCompleteDate bigint TaskDueDate bigint PlaceName nvarchar ContentClass nvarchar LinkedNotebookGuid uniqueidentifier PinProminence bigint ReminderTime Reminder time if the note is a reminder bigint ReminderDoneTime bigint ReminderOrder bigint NoteTitleQuality int Table Resource: Name Description Type
  • 6. Guid unique identifier uniqueidentifier NoteGuid uniqueidentifier Mime Mime type of attached file nvarchar Width width of the file if image smallint Height height of the file if image smallint UpdateSequenceNum int Timestamp timestamp of the attachment bigint Latitude float Longitude float Altitude float CameraMake Camera model of the attached image nvarchar CameraModel nvarchar ClientWillIndex bit FileName Filename of the attached file nvarchar Attachment If it's attachment bit RecognitionBodyHash binary DataBodyHash binary DataSize int SourceUrl nvarchar PostItColor nvarchar HandwritingVersion int Table Sync Status: LastUpdateCount int InitialSyncInProgress bit LastSyncTime bigint Table Tag: Guid uniqueidentifier Name nvarchar ParentGuid uniqueidentifier UpdateSequenceNumint Dirty bit Depth int OrderInHierarchy int LinkedNotebookGuid uniqueidentifier Deleted bigint Date Attributes In SQLite database, we can find created, updated, deleted, expunged times of the notes in the Note table as epoch time format. In the Resource table we can find the attached time of the file in epoch time format either.
  • 7. The date attributes can be found in the log files located under C:UsersasasmazAppDataLocalPackagesEvernote.Evernote_q4d96b2w5wcc2Loc alStateLogs directory as localtime. Investigation Scenario: Alice has accused of killing a man with a poison. The court has not so many evidence supporting the case. But the judge thinks it could be a very well planned crime and thinks maybe some kind of notes are taken. You are a computer forensics investigator and have been asked the following to support the case:  Are there any notes related to poisons and how to make one?  Are there any notes related to the man?  When the notes were created?