Recently I attended an interview, where the interviewer asked me the following questions in technical face to face interview:
- How does Sticky Notes works?
- How Windows is able to preserver the data even though it is not saved explicitly?
- How the data is preserved even when the system crashes?
I've no idea how does it works. Tried googling, but I couldn't find any useful information.
Can anyone explain or give some information?
I agree with @Vii's response. He has the right information about where the file is stored.
I have found some forensic background on this file here: http://www.forensicswiki.org/wiki/Sticky_Notes
It seems like the SNT file has 3 datastreams, 0,1 and 3. Stream 0 stores information in RTF form and Steam 3 stores the actual text in Unicode format.
The Root Entry of the storage stream has a timestamp associated with it and you can use tools like MiTec Storage Viewer, Sticky7List to view the creation and modification times associated with the file. You can create a sticky note and observe when it creates the datastream and modify the sticky note and monitor how it modifies the file.
Some helpful references: http://www.pcworld.com/article/191453/sticky_notes.html
https://superuser.com/questions/396698/how-to-retrieve-contents-of-stick-notes-directly-from-file-system
http://www.forensicswiki.org/wiki/Sticky_Notes
http://computer-forensics.sans.org/blog/2010/10/19/digital-forensics-stuck-stickies-2
http://windowsir.blogspot.com/2011/08/sticky-notes-analysis.html