Evernote Blog

Investigating Evernote

22/11/2021 Monday

Evernote is one of the most popular note taking applications, it provides the users with a synchronized storage service using cloud servers, where they can save and organize their notes, ideas, photos, documents, and data from any device at any time they would need. It supports multiple operating systems, including Windows, macOS, Android, and iOS.

Digital Forensics Value of Evernote Artifacts

Evernote contains a valuable amount of information about user activities and interactions, as it is used in private environments, as well as in business environments, where critical data is processed and shared between different people. Various actions can be carried out using Evernote, such as creating a new note, a new notebook, or the deletion of it, and so much more. In addition, analyzing the log and database files provides a high forensic evidential value that could aid in investigations.

Location of Evernote Artifacts

Starting from version 10, Evernote artifacts are stored in the following location:

C:\Users\%User%\AppData\Roaming\Evernote

However, in prior versions, artifacts are stored in the following locations:

C:\Users\%User%\Evernote\Databases\<username>.exb
C:\Users\%User%\Evernote\Logs\AppLog_YYYY-MM-DD.txt

On the other hand, Evernote (Windows App) artifacts are retrieved from the following locations:

C:\Users\%User%\AppData\Local\Packages\Evernote.Evernote_q4d96b2w5wcc2\LocalState\Databases\<username>.exb
C:\Users\%User%\AppData\Local\Packages\Evernote.Evernote_q4d96b2w5wcc2\LocalCache\Roaming\Evernote\Local Storage\databases\<FileName>.db
C:\Users\%User%\AppData\Local\Packages\Evernote.Evernote_q4d96b2w5wcc2\LocalCache\Roaming\Evernote\logs\YYYYMMDD.txt

Structure of Evernote Artifacts

Evernote stores its data in the database and logs folders. For the databases, it uses SQLite database format files with the extension .exb, which contain information such as the author, title, created and modified time, location, source, notebooks, and so much more is stored. Whereas the log file creates text files with the extension .txt, once a day when Evernote is launched, and it contains all user interactions such as authentication information, account ID, and the times when the application was started and ended.

Analyzing Evernote Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze Evernote artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Evernote artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Evernote artifacts in ArtiFast Windows.

Evernote Notes Artifact

This artifact extracts Evernote notes data.

Date Created - The create date and time.
Altitude - Altitude.
Author - Author.
Content Class - Content class.
Creator Id - Creator Id.
Date Deleted - The deleted date and time.
Date Share - The share date and time.
Date Subject - The subject date and time.
Date Updated - The update date and time.
Geo Address - Geo address.
Geo Admin Level1 - Geo admin level 1.
Geo Admin Level2 - Geo admin level 2.
Geo Admin Level3 - Geo admin level 3.
Geo Country - Geo country.
Has Encryption - Indicates whether it has encryption.
Has Sync Error Info - Indicates whether it has sync error information.
Has Todo - Indicates whether it has a to-do list.
Is Deleted - Indicates whether it was deleted.
Is Linked - Indicates whether it was linked.
Is Published - Indicates whether it was published.
Is Shared - Indicates whether it was shared.
Last Edited By - Last edited by.
Last Editor Id - Last editor Id.
Latitude - Latitude.
Longitude - Longitude.
Notebook UID - Notebook UID.
Notebook - Notebook.
Partial Sync - Partial synchronization.
Place Name - Place name.
Reminder Done Time - Reminder done time.
Reminder Order - Reminder order.
Reminder Time - Reminder time.
Restrictions - Restrictions.
Row Id - Row Id.
Shared Via Messaging - Shared via messaging.
Shared With Business - Shared with business.
Size - Size.
Source App - Source application.
Source URL - Source URL.
Source - Source.
Sync Required - Sync required.
Tags - Tags.
Title Quality - Title quality.
Title - Title.

Evernote Logs Artifact

This artifact extracts Evernote log files.

Activity Category ID - Activity category Id.
Logged Date - Logged date and time.
Description - Description.

Evernote (Win Apps) Notes Artifact

This artifact extracts the notes created by Evernote Windows application.

Creation Time - Note creation date and time.
Updated Time - Note updated date and time.
Task Date - Task date and time.
Task Due Date - Task due date and time.
Title - Note title.
Task Complete Date - Task completion date and time.
Attachment Data Size - Attachment data size.
Attachment File Name - Attachment file name.
Attachment Height - Attachment height.
Attachment Mime - Attachment mime type.
Attachment Width - Attachment width.
Content Length - Note length.
Is Active - Indicates whether the note is active.
Is Deleted - Indicates whether the note was deleted.
Is Expunged - Indicates whether the note expunged.
Place Name - Place name.
Snippet - Snippet of note.
Source URL - Note source URL.

Evernote (Win Apps) Logs Artifact

This artifact extracts Evernote Windows application log files.

Logged Date - Logged date and time.
Description - Description.