Tabby's Date - Recovering an Unsaved Notepad Note 🗒️

AJ Raya October 9, 2025

Tags: Huntress CTF 2025 Windows

Tabby's Date challenge prompt — Challenge context: Tabby wrote something important in Notepad, but never saved it.

Goal: find the note on Tabby's laptop that contains the flag.

What we were given: tabbys_date.zip (password: tabbys_date) – an export of her C: drive.

1. Unzip the archive

unzip tabbys_date.zip -d tabby_cdrive -P tabbys_date
tree tabby_cdrive/

Treating the extracted folder like a forensic file tree made sense since the challenge explicitly mentioned an export of the laptop’s files.

2. Initial keyword searches

grep -ri "date" tabby_cdrive/
grep -ri "flag" tabby_cdrive/

These came up empty because many Windows app artifacts are stored in UTF-16 or binary formats.

3. Inspecting Notepad TabState

cd C/Users/Tabby/AppData/Local/Packages/Microsoft.WindowsNotepad_8wekyb3d8bbwe/LocalState/TabState/

TabState directory listing — Unsaved Notepad tabs stored as UUID-named .bin files.

Modern Windows Notepad stores unsaved tab state here, making this directory the perfect place to look.

4. Extracting readable text

file *.bin
strings *.bin | less

Raw strings output — Initial strings output revealed encoded text.

5. UTF-16 decoding

for f in *.bin; do
  echo "=== $f ==="
  iconv -f UTF-16LE -t UTF-8 "$f" 2>/dev/null \
    || iconv -f UTF-16BE -t UTF-8 "$f" 2>/dev/null \
    || strings "$f"
done | less

Decoded Notepad tab content — Clean UTF-8 output after decoding Notepad state files.

6. Flag recovered

Recovered flag inside Notepad tab — Unsaved Notepad note containing the Wi-Fi password and flag.

flag{165d19b610c02b283fc1a6b4a54c4a58}

Forensics takeaways

Unsaved data often lives in application state directories
Encoding matters when searching artifacts
Modern Windows apps leave rich forensic traces
Small artifacts can answer entire cases

Challenge completion image — One unsaved Notepad tab, one recovered flag.