Reverse Engineering Penultimate

Reverse Engineering Penultimate

Fascinating analysis by Alex Caithness of CCL-Forensics about Penultimate (thanks, Clark), a digital note-taking app that was acquired by Evernote earlier this year. Penultimate allows users to draw on screen, simulating virtual ink with smooth lines and curves drawn upon a notebook-like background. That’s what CCL-Forensics tried to reverse-engineer.

Opening one of the “page” files we find another “NSKeyedArchiver” property list. After unravelling the structure of the file we find a top-level object containing further metadata (including a “blankDate” which appears to match the “created” timestamp reported in the “notebookList” and the dimensions of the note) along with a list of “layers”. Each of the “layer” objects (again represented by dictionaries) have keys for the layer’s colour (more on that later) the layer’s dimensions and a list of “layerRects” – sections of the layer where the user has drawn their notes; and that’s where we finally find the image itself.

Sort of.

The description of how Alex got around understanding how Penultimate stores information inside its library is highly technical, but easy to follow with screenshots and Alex’s clear explanation. Essentially, Alex ended up using Python and XML to retrieve the user’s drawings, stored as coordinates – not as “images of the ink”, as one would initially assume.

If anything, it’s a great reminder that our data can usually be retrieved in a variety of ways using forensic tools (and intuition).