dfirhub

MicrosoftOneNote

Appsv1

Author: Andrew Rathbun

description

Microsoft OneNote

paths

5 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: MicrosoftOneNote
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. Microsoft OneNote - FullTextSearchIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Microsoft_OneNote___FullTextSearchIndex"

# 2. Microsoft OneNote - RecentNotebooks_SeenURLs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications"
Collect-Artifact -SourceDir "$UserPath" -FileMask "RecentNotebooks_SeenURLs" -FolderName "Microsoft_OneNote___RecentNotebooks_SeenURLs"

# 3. Microsoft OneNote - AccessibilityCheckerIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Microsoft_OneNote___AccessibilityCheckerIndex"

# 4. Microsoft OneNote - User NoteTags
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*LiveId.db" -FolderName "Microsoft_OneNote___User_NoteTags"

# 5. Microsoft OneNote - RecentSearches
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches"
Collect-Artifact -SourceDir "$UserPath" -FileMask "RecentSearches.db" -FolderName "Microsoft_OneNote___RecentSearches"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references