Error when parsing properties of StickyNote files

Issue #13 resolved
Philippe Lagadec
repo owner created an issue

Issue reported by David Nides:

I started looking at jump lists which also follow the ole structure (attached sample).

I am trying to parse this out. For starts.. trying to get the timestamps of the streams.

import OleFileIO_PL

ole = OleFileIO_PL.OleFileIO('StickyNotes.snt')

print ole.listdir()
print
ole.dumpdirectory()

print ole.getproperties(['16d1ce02-446a-11e2-9', '1'], True)

Run time and Error is below. I would appreciate and suggestions you might have. Thanks!!

[['16d1ce02-446a-11e2-9', '0'], ['16d1ce02-446a-11e2-9', '1'], ['16d1ce02-446a-11e2-9', '3'], ['Metafile'], ['Version']]

'Root Entry' (root) 2240 bytes
  '16d1ce02-446a-11e2-9' (storage)
    '0' (stream) 698 bytes
    '1' (stream) 10 bytes
    '3' (stream) 102 bytes
  'Metafile' (stream) 662 bytes
  'Version' (stream) 4 bytes

Traceback (most recent call last):
  File "C:/Users/Nides/Documents/GitHub/Misc_DFIR_Scripts/Sticky Notes/stickynote.py", line 11, in <module>
    print ole.getproperties(['16d1ce02-446a-11e2-9', '1'], True)
  File "C:\Python27\lib\site-packages\OleFileIO_PL.py", line 1632, in getproperties
    clsid = _clsid(s[8:24])
  File "C:\Python27\lib\site-packages\OleFileIO_PL.py", line 376, in _clsid
    assert len(clsid) == 16
AssertionError

Comments (2)

  1. Philippe Lagadec reporter

    It looks like streams in StickyNote files are not properties streams, so the reported error is normal. In v0.26 I fixed the parsing of directory entry timestamps, so it is now possible to get creation and modification times of sticky notes, by checking the root storage and the other storages. For example you may use the following code:

    import OleFileIO_PL, sys
    ole = OleFileIO_PL.OleFileIO(sys.argv[1])
    print'Root mtime=%s ctime=%s' % (ole.root.getmtime(), ole.root.getctime())
    for obj in ole.listdir(streams=False, storages=True):
        print '%s: mtime=%s ctime=%s' % (repr('/'.join(obj)), ole.getmtime(obj), ole.getctime(obj))
    
  2. Log in to comment