MicrosoftOneNote

Appsv1

Author: Andrew Rathbun

description

Microsoft OneNote

paths

5 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: MicrosoftOneNote
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Microsoft OneNote - FullTextSearchIndex
        $UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex"
        Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_OneNote_FullTextSearchIndex_$UserName"
        # Microsoft OneNote - RecentNotebooks_SeenURLs
        $UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications"
        Collect-Artifact -SourceDir $UserPath -FileMask "RecentNotebooks_SeenURLs" -FolderName "Microsoft_OneNote_RecentNotebooks_SeenURLs_$UserName"
        # Microsoft OneNote - AccessibilityCheckerIndex
        $UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex"
        Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_OneNote_AccessibilityCheckerIndex_$UserName"
        # Microsoft OneNote - User NoteTags
        $UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags"
        Collect-Artifact -SourceDir $UserPath -FileMask "*LiveId.db" -FolderName "Microsoft_OneNote_User_NoteTags_$UserName"
        # Microsoft OneNote - RecentSearches
        $UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches"
        Collect-Artifact -SourceDir $UserPath -FileMask "RecentSearches.db" -FolderName "Microsoft_OneNote_RecentSearches_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

› cyberchef recipes

URL Decode
Decode URL-encoded strings
open in cyberchef(opens in new tab)

Open in CyberChef to decode values extracted from this artifact.

references

microsoft.com https://www.microsoft.com/en-us/microsoft-365/onenote/digital-note-taking-app

notes

Microsoft OneNote is an awesome note-taking application that helps people organize their lives

Thankfully, Microsoft stores a lot of the information within OneNote locally within SQLite databases!

FullTextSearchIndex will have a database for each active OneNote notebook on the user's system. This will comprise of the entire text contents of each respective notebook

RecentNotebooks_SeenURLs showed URLs for two OneNote notebooks that I share with others externally, so likely these are OneNote notebooks I've accessed via the OneNote web app, as a result

AccessibilityCheckerIndex appears to provide a history of sync issues within the user's OneNote notebooks, i.e. page conflicts

NoteTags appears to provide the user-specified Tags that are used within OneNote application-wide

RecentSearches.db did not populate any data on my system, but I included the artifact here in case it does on another system

// description

// paths

// collection commands

// references

// notes

description

paths

collection commands

references

notes