SlideShare una empresa de Scribd logo

Windows 10 Forensics: OS Evidentiary Artefacts

Descargar como PPTX, PDF
Brent Muir
Brent Muir

OS and application forensic artefacts related to Windows 10.

Tecnología
1 de 43
Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
Topics OS Artefacts : ▫ File Systems / Partitions ▫ Registry Hives ▫ Event Logs ▫ Prefetch ▫ Shellbags ▫ LNK Shortcuts ▫ Thumbcache ▫ Recycle Bin ▫ Volume Shadow Copies ▫ Windows Indexing Service ▫ Cortana (Search) ▫ Notification Centre ▫ Picture Password Application Artefacts: ▫ Windows Store ▫ Edge Browser (previously Spartan)  Legacy Internet Explorer ▫ Email (Mail application) ▫ Unified Communication  Twitter  Skype  OneDrive ▫ Microsoft Office Apps  Word  Excel  PowerPoint  OneNote ▫ Maps
Part 1
File Systems / Partitions • Supported File Systems: ▫ NTFS, Fat32, ExFat • Default Partition structure: ▫ “Windows” – core OS (NTFS) ▫ “Recovery” (NTFS) ▫ “Reserved” ▫ “System” – UEFI (Fat32) ▫ “Recovery Image” (NTFS)
Registry Hives • Registry hives format has not changed ▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.) • Location of important registry hives: ▫ Usersuser_nameNTUSER.DAT ▫ WindowsSystem32configDEFAULT ▫ WindowsSystem32configSAM ▫ WindowsSystem32configSECURITY ▫ WindowsSystem32configSOFTWARE ▫ WindowsSystem32configSYSTEM
Event Logs • EVTX log format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Location of EVTX logs: ▫ WindowsSystem32winevtLogs
Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-Store%4Operational.evtx Source EventID Category Function Microsoft- Windows-Install- Agent 2002 2001 Installing application Windows- ApplicationModel- Store-SDK 5 5 Search query strings (e.g. query=twitter)
Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-AppXDeploymentServer%4Operational.evtx Source EventID Category Function Microsoft- Windows- AppXDeploy ment-Server 10002 3 Application deployment
Prefetch • Location of Prefetch files: ▫ WindowsPrefetch
Shellbags • NTUSER.dat ▫ SOFTWAREMicrosoftWindowsShellBags • UsrClass.dat
LNK Shortcuts • LNK format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Useful fields: ▫ Hostname ▫ MAC Address ▫ Volume ID ▫ Owner SID ▫ MAC Times
Thumbcache • Location of Thumbcache files: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsExplorer
Recycle Bin • Recycle Bin artefacts have not changed ▫ $I  Still provides original file name and path ▫ $R  Original file
Volume Shadow Copies • vssadmin tool still provides list of current VSCs
Windows Indexing Service • Windows indexing service is an evidentiary gold mine ▫ Potentially storing emails and other binary items  Great as dictionary list for password cracking • Stored in an .EDB file ▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X- Ways Forensics  If “dirty” dismount, need to use esentutl.exe • In Windows 10 stored in the following directory: ▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo wsWindows.edb
Cortana • Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content ▫ Can set reminders ▫ Can initiate contact (e.g. write emails) • Cortana Databases (EDBs): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp pDataIndexed DBIndexedDB.edb ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat  Interesting Tables:  LocationTriggers ▫ Latitude/Longitude and Name of place results  Geofences ▫ Latitude/Longitude for where location based reminders are triggered  Reminders ▫ Creation and completion time (UNIX numeric value)
Cortana • The following databases contain a list of contacts synched from email accounts: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx t
Notification Centre • The following databases contain a list of notifications: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsNotificationsappdb.dat  Toast notifications are stored in embedded XML
Picture Password • “Picture Password” is an alternate login method where gestures on top of a picture are used as a password • This registry key details the path to the location of the “Picture Password” file: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionAuthenticationLogonUIPicturePassworduser_GUID • Path of locally stored Picture Password file: ▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe adOnlyPicturePasswordbackground.png
Part 2
Applications (Apps) • Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode • Apps are installed in the following directory: ▫ Program FilesWindowsApps • Settings and configuration DBs are located in following directories: ▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt ate  Two DB formats:  SQLite DBs (.SQL)  Jet DBs (.EDB)
Windows Store • Apps are purchased/installed via the Windows Store • During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps) • Registry key of installed applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreApplications • List of deleted applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreDeleted
Edge Browser • New web browser and rendering engine (Spartan) • Same as IE10, records no longer stored in Index.DAT files, stored in EDB • Edge settings are stored in the following file: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb • Edge cache stored in the following directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M icrosoftEdgeCache • Last active browsing session stored: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft EdgeUserDefaultRecoveryActive
Browser History Records • Edge (and IE) history records stored in the following database: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat  This is actually an .EDB file  Can be interpreted by EseDbViewer or ESEDatabaseView  Might be a “dirty” dismount, need to use esentutl.exe  Database also stores Cookies
Internet Explorer (legacy) • Internet Cache stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCache • Internet Cookies stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCookies
Email (Mail application) • Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools ▫ Stored in the following directory:  Usersuser_nameAppDataLocalCommsUnistoredata • Metadata of emails are stored in the following DB (EDB format): ▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol  Attachments  Email header  Contact information
Unified Communication • Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): ▫ Appears to be scaled back from Windows 8.x (less integrated as previous People App) • UC settings are stored in the following DB: ▫ Usersuser_nameAppDataLocalPackagesmicro soft.windowscommunicationsapps…LocalStatelivec omm.edb
Unified Communication • Interesting Tables: ▫ Account  SourceID  List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)  DomainTag  Username for each account ▫ Contact  List of synched contacts across all account platforms ▫ Event  Calendar entries (including birthdays of contacts if synched to Windows Live) and locations ▫ MeContact  Further details about owner accounts ▫ Person and PersonLink  Further details about each contact including what account they link back to (e.g Skype)
Unified Communication • Locally cached contact entries are stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx PeopleAddressBook • Contact photos are stored in this directory (JPGs): ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
Twitter App • History DB located in following file: ▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite • SQLite3 format DB ▫ 11 Tables in DB  Relevant tables:  messages – holds tweets & DMs  search_queries – holds searches conducted in Twitter app by user  statuses – lists latest tweets from accounts being followed  users – lists user account and accounts being followed by user
Twitter App • Settings located in file: ▫ Usersuser_nameAppDataLocalPackagesxx xxx.Twitter_xxxxSettingssettings.dat  Includes user name (@xxxxx)  Details on profile picture URL  Twitter ID number
Skype App (legacy) • The Skype App was discontinued with Windows 10 ▫ Windows 10 prompts you to download the desktop Skype application
OneDrive App • Built-in by default, API allows all programs to save files in OneDrive • List of Synced items located in file: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsOneDrivesettingsxxxxxxxx.dat • Locally cached items are stored in directory: ▫ Usersuser_nameOneDrive
Microsoft Office Apps • With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps ▫ If you have a valid Office365 account then you can edit and create documents  Otherwise these Apps are read-only
Word App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
Excel App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
PowerPoint App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru ServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
OneNote App • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of fice.OneNote_xxxxLocalStateAppDataLocalOneNote1 6.0 • Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
Maps App • Recent places stored in this file (XML): ▫ Usersuser_nameAppDataLocalPackagesM icrosoft.WindowsMaps_xxxxLocalStateGraph xxxxMe00000000.ttl  Latitude/Longitude  Dates modified (searched)
Part 3
Memory Acquisition • WinPMEM (tested versions 1.6.2 & 2.0.1) ▫ Run as Administrator  Has to extract driver to local temp location  V1.6.2 running process ~10MB  V2.0.1 running process ~80MB • FTK Imager ▫ Run as Administrator  Running process ~15MB
Live Disk Acquisition • FTK Imager ▫ Can be used for Physical or Logical acquisition • X-Ways Forensics ▫ Can be used for Physical or Logical acquisition
Resources • FTK Imager ▫ http://accessdata.com/product-download?/support/product- downloads • Nirsoft ESEDatabaseView ▫ http://www.nirsoft.net/utils/ese_database_view.html • RegistryBrowser ▫ https://lockandcode.com/software/registry_browser • WinPMEM ▫ https://github.com/google/rekall/releases

Recomendados

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 

Recomendados

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
Vishal Tandel
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
Prince Boonlia
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
n|u - The Open Security Community
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
Gaurav Ragtah
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
GaganvirKaur
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
MD SAQUIB KHAN
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
Megha Sahu
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
File system
File systemFile system
File system
Harleen Johal
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
Mayank Chaudhari
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
ParminderKaurBScHons
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 

Más contenido relacionado

La actualidad más candente

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 

La actualidad más candente (20)

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Ntfs forensics
Ntfs forensicsNtfs forensics
Ntfs forensics
 
Ntfs and computer forensics
Ntfs and computer forensicsNtfs and computer forensics
Ntfs and computer forensics
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
File system
File systemFile system
File system
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 

Destacado

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Raidprep
RaidprepRaidprep
Raidprep
CTIN
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
Chandra Pr. Singh
 
F Database
F DatabaseF Database
F Database
CTIN
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
Eduardo Chavarro
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Basis Technology
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
CTIN
 

Destacado (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Raidprep
RaidprepRaidprep
Raidprep
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management Presentation
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
F Database
F DatabaseF Database
F Database
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Netcat cheat sheet
Netcat cheat sheetNetcat cheat sheet
Netcat cheat sheet
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Digital forensic upload
Digital forensic uploadDigital forensic upload
Digital forensic upload
 

Similar a Windows 10 Forensics: OS Evidentiary Artefacts

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration Overview
Information Technology
 
Bri forum advanced web interface customizations
Bri forum advanced web interface customizationsBri forum advanced web interface customizations
Bri forum advanced web interface customizations
CCOSTAN
 
Where to save my data, for devs!
Where to save my data, for devs!Where to save my data, for devs!
Where to save my data, for devs!
SharePoint Saturday New Jersey
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
JohnnyPlasten
 
Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal
drupalsydney
 

Similar a Windows 10 Forensics: OS Evidentiary Artefacts (20)

Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
Windows 10 Data Recovery
Windows 10 Data RecoveryWindows 10 Data Recovery
Windows 10 Data Recovery
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration Overview
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
Scaling / optimizing search on netlog
Scaling / optimizing search on netlogScaling / optimizing search on netlog
Scaling / optimizing search on netlog
 
Unesco information storage and retrievals tools
Unesco information storage and retrievals toolsUnesco information storage and retrievals tools
Unesco information storage and retrievals tools
 
Bri forum advanced web interface customizations
Bri forum advanced web interface customizationsBri forum advanced web interface customizations
Bri forum advanced web interface customizations
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
 
Where to save my data, for devs!
Where to save my data, for devs!Where to save my data, for devs!
Where to save my data, for devs!
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
Windows 1809 Timeline
Windows 1809 TimelineWindows 1809 Timeline
Windows 1809 Timeline
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 
Advanced Web Interface Customizations - BriForum 2010
Advanced Web Interface Customizations - BriForum 2010Advanced Web Interface Customizations - BriForum 2010
Advanced Web Interface Customizations - BriForum 2010
 

Más de Brent Muir

Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
Brent Muir
 

Más de Brent Muir (14)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Windows 10 Forensics: OS Evidentiary Artefacts

  • 1. Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
  • 2. Topics OS Artefacts : ▫ File Systems / Partitions ▫ Registry Hives ▫ Event Logs ▫ Prefetch ▫ Shellbags ▫ LNK Shortcuts ▫ Thumbcache ▫ Recycle Bin ▫ Volume Shadow Copies ▫ Windows Indexing Service ▫ Cortana (Search) ▫ Notification Centre ▫ Picture Password Application Artefacts: ▫ Windows Store ▫ Edge Browser (previously Spartan)  Legacy Internet Explorer ▫ Email (Mail application) ▫ Unified Communication  Twitter  Skype  OneDrive ▫ Microsoft Office Apps  Word  Excel  PowerPoint  OneNote ▫ Maps
  • 4. File Systems / Partitions • Supported File Systems: ▫ NTFS, Fat32, ExFat • Default Partition structure: ▫ “Windows” – core OS (NTFS) ▫ “Recovery” (NTFS) ▫ “Reserved” ▫ “System” – UEFI (Fat32) ▫ “Recovery Image” (NTFS)
  • 5. Registry Hives • Registry hives format has not changed ▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.) • Location of important registry hives: ▫ Usersuser_nameNTUSER.DAT ▫ WindowsSystem32configDEFAULT ▫ WindowsSystem32configSAM ▫ WindowsSystem32configSECURITY ▫ WindowsSystem32configSOFTWARE ▫ WindowsSystem32configSYSTEM
  • 6. Event Logs • EVTX log format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Location of EVTX logs: ▫ WindowsSystem32winevtLogs
  • 7. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-Store%4Operational.evtx Source EventID Category Function Microsoft- Windows-Install- Agent 2002 2001 Installing application Windows- ApplicationModel- Store-SDK 5 5 Search query strings (e.g. query=twitter)
  • 8. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-AppXDeploymentServer%4Operational.evtx Source EventID Category Function Microsoft- Windows- AppXDeploy ment-Server 10002 3 Application deployment
  • 9. Prefetch • Location of Prefetch files: ▫ WindowsPrefetch
  • 11. LNK Shortcuts • LNK format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Useful fields: ▫ Hostname ▫ MAC Address ▫ Volume ID ▫ Owner SID ▫ MAC Times
  • 12. Thumbcache • Location of Thumbcache files: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsExplorer
  • 13. Recycle Bin • Recycle Bin artefacts have not changed ▫ $I  Still provides original file name and path ▫ $R  Original file
  • 14. Volume Shadow Copies • vssadmin tool still provides list of current VSCs
  • 15. Windows Indexing Service • Windows indexing service is an evidentiary gold mine ▫ Potentially storing emails and other binary items  Great as dictionary list for password cracking • Stored in an .EDB file ▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X- Ways Forensics  If “dirty” dismount, need to use esentutl.exe • In Windows 10 stored in the following directory: ▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo wsWindows.edb
  • 16. Cortana • Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content ▫ Can set reminders ▫ Can initiate contact (e.g. write emails) • Cortana Databases (EDBs): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp pDataIndexed DBIndexedDB.edb ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat  Interesting Tables:  LocationTriggers ▫ Latitude/Longitude and Name of place results  Geofences ▫ Latitude/Longitude for where location based reminders are triggered  Reminders ▫ Creation and completion time (UNIX numeric value)
  • 17. Cortana • The following databases contain a list of contacts synched from email accounts: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx t
  • 18. Notification Centre • The following databases contain a list of notifications: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsNotificationsappdb.dat  Toast notifications are stored in embedded XML
  • 19. Picture Password • “Picture Password” is an alternate login method where gestures on top of a picture are used as a password • This registry key details the path to the location of the “Picture Password” file: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionAuthenticationLogonUIPicturePassworduser_GUID • Path of locally stored Picture Password file: ▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe adOnlyPicturePasswordbackground.png
  • 21. Applications (Apps) • Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode • Apps are installed in the following directory: ▫ Program FilesWindowsApps • Settings and configuration DBs are located in following directories: ▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt ate  Two DB formats:  SQLite DBs (.SQL)  Jet DBs (.EDB)
  • 22. Windows Store • Apps are purchased/installed via the Windows Store • During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps) • Registry key of installed applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreApplications • List of deleted applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreDeleted
  • 23. Edge Browser • New web browser and rendering engine (Spartan) • Same as IE10, records no longer stored in Index.DAT files, stored in EDB • Edge settings are stored in the following file: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb • Edge cache stored in the following directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M icrosoftEdgeCache • Last active browsing session stored: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft EdgeUserDefaultRecoveryActive
  • 24. Browser History Records • Edge (and IE) history records stored in the following database: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat  This is actually an .EDB file  Can be interpreted by EseDbViewer or ESEDatabaseView  Might be a “dirty” dismount, need to use esentutl.exe  Database also stores Cookies
  • 25. Internet Explorer (legacy) • Internet Cache stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCache • Internet Cookies stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCookies
  • 26. Email (Mail application) • Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools ▫ Stored in the following directory:  Usersuser_nameAppDataLocalCommsUnistoredata • Metadata of emails are stored in the following DB (EDB format): ▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol  Attachments  Email header  Contact information
  • 27. Unified Communication • Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): ▫ Appears to be scaled back from Windows 8.x (less integrated as previous People App) • UC settings are stored in the following DB: ▫ Usersuser_nameAppDataLocalPackagesmicro soft.windowscommunicationsapps…LocalStatelivec omm.edb
  • 28. Unified Communication • Interesting Tables: ▫ Account  SourceID  List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)  DomainTag  Username for each account ▫ Contact  List of synched contacts across all account platforms ▫ Event  Calendar entries (including birthdays of contacts if synched to Windows Live) and locations ▫ MeContact  Further details about owner accounts ▫ Person and PersonLink  Further details about each contact including what account they link back to (e.g Skype)
  • 29. Unified Communication • Locally cached contact entries are stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx PeopleAddressBook • Contact photos are stored in this directory (JPGs): ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
  • 30. Twitter App • History DB located in following file: ▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite • SQLite3 format DB ▫ 11 Tables in DB  Relevant tables:  messages – holds tweets & DMs  search_queries – holds searches conducted in Twitter app by user  statuses – lists latest tweets from accounts being followed  users – lists user account and accounts being followed by user
  • 31. Twitter App • Settings located in file: ▫ Usersuser_nameAppDataLocalPackagesxx xxx.Twitter_xxxxSettingssettings.dat  Includes user name (@xxxxx)  Details on profile picture URL  Twitter ID number
  • 32. Skype App (legacy) • The Skype App was discontinued with Windows 10 ▫ Windows 10 prompts you to download the desktop Skype application
  • 33. OneDrive App • Built-in by default, API allows all programs to save files in OneDrive • List of Synced items located in file: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsOneDrivesettingsxxxxxxxx.dat • Locally cached items are stored in directory: ▫ Usersuser_nameOneDrive
  • 34. Microsoft Office Apps • With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps ▫ If you have a valid Office365 account then you can edit and create documents  Otherwise these Apps are read-only
  • 35. Word App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 36. Excel App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 37. PowerPoint App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru ServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 38. OneNote App • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of fice.OneNote_xxxxLocalStateAppDataLocalOneNote1 6.0 • Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
  • 39. Maps App • Recent places stored in this file (XML): ▫ Usersuser_nameAppDataLocalPackagesM icrosoft.WindowsMaps_xxxxLocalStateGraph xxxxMe00000000.ttl  Latitude/Longitude  Dates modified (searched)
  • 41. Memory Acquisition • WinPMEM (tested versions 1.6.2 & 2.0.1) ▫ Run as Administrator  Has to extract driver to local temp location  V1.6.2 running process ~10MB  V2.0.1 running process ~80MB • FTK Imager ▫ Run as Administrator  Running process ~15MB
  • 42. Live Disk Acquisition • FTK Imager ▫ Can be used for Physical or Logical acquisition • X-Ways Forensics ▫ Can be used for Physical or Logical acquisition
  • 43. Resources • FTK Imager ▫ http://accessdata.com/product-download?/support/product- downloads • Nirsoft ESEDatabaseView ▫ http://www.nirsoft.net/utils/ese_database_view.html • RegistryBrowser ▫ https://lockandcode.com/software/registry_browser • WinPMEM ▫ https://github.com/google/rekall/releases

Notas del editor

  1. Virtualising a stored image
  2. Connected WiFi networks   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ \ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{5352E92B-EE0A-4E57-B761-A775DDE0A317}\
  3. Windows 10 shipped with IE11 (and Edge) - Legacy mode X-Ways can also interpret EDB
  4. Windows 8 shipped with IE10, now able to get IE11 X-Ways can also interpret EDB
  5. Cheat sheet