MicrosoftOneNote
Appsv1
Author: Andrew Rathbun
description
Microsoft OneNote
paths
5 paths
AppsMicrosoft OneNote - FullTextSearchIndex
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndexGrabs database(s) comprising of each OneNote notebook's text content
AppsMicrosoft OneNote - RecentNotebooks_SeenURLs
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\NotificationsRecentNotebooks_SeenURLsGrabs a file that appears to record recently seen OneNote notebooks
AppsMicrosoft OneNote - AccessibilityCheckerIndex
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndexGrabs database(s) comprising of each OneNote notebook's version sync error history
AppsMicrosoft OneNote - User NoteTags
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags*LiveId.dbGrabs a database that stores the user specified tags within OneNote to be used application-wide
AppsMicrosoft OneNote - RecentSearches
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearchesRecentSearches.dbGrabs a database that stores the user's recent searches within OneNote
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: MicrosoftOneNote
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Microsoft OneNote - FullTextSearchIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Microsoft_OneNote___FullTextSearchIndex"
# 2. Microsoft OneNote - RecentNotebooks_SeenURLs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications"
Collect-Artifact -SourcePath "$UserPath\RecentNotebooks_SeenURLs" -FolderName "Microsoft_OneNote___RecentNotebooks_SeenURLs"
# 3. Microsoft OneNote - AccessibilityCheckerIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Microsoft_OneNote___AccessibilityCheckerIndex"
# 4. Microsoft OneNote - User NoteTags
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags"
Collect-Artifact -SourcePath "$UserPath\*LiveId.db" -FolderName "Microsoft_OneNote___User_NoteTags"
# 5. Microsoft OneNote - RecentSearches
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches"
Collect-Artifact -SourcePath "$UserPath\RecentSearches.db" -FolderName "Microsoft_OneNote___RecentSearches"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.