by Stuart Clarke, Millnet
Recently we have been looking at Evernote from a forensic investigation perspective, as we feel it is a great product which will grow in popularity therefore wanted to share some initial findings.
While at the 2012 CEIC conference I had a discussion with Chris Dale from the e-Disclosure Information Project about how social media and cloud computing impacts on e-Disclosure and Evernote featured in our conversation.
I will not delve into detail about what Evernote is capable of; there is a lot of material on the web, which will do a much better job on explaining the product than I.
In short, Evernote is a very clever way of taking notes electronically, which runs on a wide range of operating systems including Windows, Mac, iDevices (iPhone/iPad), Android, Blackberry, Chrome OS. Evernote is also free, however there is a premium version for users who need more storage than the free 60Mb per month offered. Evernote can be run as an application on many different devices, but for users with internet connectivity you can also take advantage of the sync functionality provided by the Evernote web service. This is the real power of Evernote, where a master copy of your data is stored in the cloud on an Evernote server and this data is synchronized with all of your devices running Evernote.
The bulk of my research and the content of this post relates to Evernote running on a Mac and iPhone device, however I expect consistency between different devices. Evernote required users to have an account, and both the account username and associated email address are stored to the device. After registering, Evernote will also generate a unique Evernote email address for you and advise you of this. This automatically generated email address contains your username. The purpose of this is so you can email notes to Evernote and they are added to your account automatically.
After using Evernote for the first time an account profile is created on your local device (Mac/iDevice) and this is used as a local store for your data. This data is in a location outside of the normal user area, therefore the average user will not be aware of its presence. Each individual note generated by Evernote is stored in a folder and this folder contains several versions and copies of the note. In fact, you typically find a HTML version of the note, 3 images of the note and another web version of the note, therefore 5 copies in total. In addition, any attachments to the note, like images are also stored locally.
The notes themselves contain a lot of metadata. You can establish when the note was first created, last updated, when it was last syncronised and the size of the note including the number words and characters.
Users of Evernote on a mobile device will be asked for permission to track your location, if you grant access, which most users do, Evernote will embed your GPS location into the note typically generated with assisted GPS (triangulation of your location based on know fixed points). Another interesting feature, which Chris Dale has experienced, is the ability of Evernote to hook into other applications and assume what your doing. For example, if you have a calendar entry on your iDevice and you create a new Evernote during the scheduled time of the calendar entry, Evernote will use the title from the calendar entry as the title for your newly created Evernote. It will also assign the GPS information to the note. Therefore from single note is may be possible to establish the physical location the note was created, the meeting it was associated with and of course the note content.
The great thing about Evernote is the master log file it creates on the device. This log file is very verbose and details what Evernote is doing. As a result you can identify each time new notes are either downloaded or uploaded from the device. The log also lists if a modification to a note has taken place. For investigation and disclosure purposes this log can be of huge value, because during a collection exercise you may find that for whatever reason there are no notes within Evernote. By reviewing the log file, it is possible to identify that over the past months several notes have been created, modified and synchronized.
Such data allows us to ask more questions both of the custodian and explore additional storage locations. First we can attempt to find out why these notes no longer exist by discussing with the custodian; and second we can start to dig a bit deeper and take advantage of Evernote’s ability to push data to all of our associated devices. If we consider Evernote is running on a Mac and an iDevice, the iDevice will be creating backups of all iDevice data (including Evernote data). Consequently, our missing notes maybe in old iDevice backups. Likewise, the built in backup solution of the Mac called Time Machine may be running and creating potentially hundreds of copies of the Evernote data over time.
While on the subject of deletion or missing data, items deleted in Evernote are not deleted immediately; they are placed in the ‘Trash’ and will remain there until this storage location is manually emptied. This is very similar to most forms of deletion of electronic devices for example the Windows Recycle Bin. Once the items are permanently deleted and all devices synchronized, the data is not fully removed. The local copies of Evernote files stored on your Mac or Windows PC are moved to a different folder within your Evernote profile and still fully accessible and available for collection.
There are a wealth of further system files, which detail settings associated Evernote including current data usage and the volumes of data that can be uploaded during the month cycle. We can also establish when the data was last syncronised and the account associated with this syncronisation. We can also review several different databases, which store metadata and further Evernote history.
Evernote is yet another example of a cloud based product designed to make our lives easier. It is also very good at generating a lot of data across various devices.
From a forensic investigation perspective the volume of evidential artifacts is significant and for that reason it is a product we should all be aware of in our forensic investigations. Although the volumes of data generated by Evernote are of great value to forensic investigations it is pending problem for those involved in e-Disclosure exercises. Such an issue was the focus of an interactive session at CEIC 2012, where a panel including Judge Andrew J. Peck, Judge John M. Facciola and Judge Herbert B. Dixon discussed emerging trends including social media and cloud computing.
The suggestion and message of this post for e-Discloure purposes is not to collect and start searching for the vast quantities of Evernote data, as this will quickly become a disproportionate exercise. However, it does illustrate the need to increase awareness and continually educate those involved in e-Disclosure so they can ask the right questions, and appropriately assess each matter. It is through panels like those at the recent CEIC conference and Sedona conference later this year and individuals like Chris Dale that progress will be made. As this continues to drive forward it is the responsibility of the technicians to keep up to speed with emerging technologies.
If you would like to learn more about Evernote and use it yourself click here
There is also a host of other material relating to forensics and eDiscovery on the Millnet Consulting blog.