SlideShare a Scribd company logo

Windows 10 Forensics: OS Evidentiary Artefacts

Download as PPTX, PDF
Brent Muir
Brent Muir

OS and application forensic artefacts related to Windows 10.

Technology
1 of 43
Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
Topics OS Artefacts : ▫ File Systems / Partitions ▫ Registry Hives ▫ Event Logs ▫ Prefetch ▫ Shellbags ▫ LNK Shortcuts ▫ Thumbcache ▫ Recycle Bin ▫ Volume Shadow Copies ▫ Windows Indexing Service ▫ Cortana (Search) ▫ Notification Centre ▫ Picture Password Application Artefacts: ▫ Windows Store ▫ Edge Browser (previously Spartan)  Legacy Internet Explorer ▫ Email (Mail application) ▫ Unified Communication  Twitter  Skype  OneDrive ▫ Microsoft Office Apps  Word  Excel  PowerPoint  OneNote ▫ Maps
Part 1
File Systems / Partitions • Supported File Systems: ▫ NTFS, Fat32, ExFat • Default Partition structure: ▫ “Windows” – core OS (NTFS) ▫ “Recovery” (NTFS) ▫ “Reserved” ▫ “System” – UEFI (Fat32) ▫ “Recovery Image” (NTFS)
Registry Hives • Registry hives format has not changed ▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.) • Location of important registry hives: ▫ Usersuser_nameNTUSER.DAT ▫ WindowsSystem32configDEFAULT ▫ WindowsSystem32configSAM ▫ WindowsSystem32configSECURITY ▫ WindowsSystem32configSOFTWARE ▫ WindowsSystem32configSYSTEM
Event Logs • EVTX log format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Location of EVTX logs: ▫ WindowsSystem32winevtLogs
Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-Store%4Operational.evtx Source EventID Category Function Microsoft- Windows-Install- Agent 2002 2001 Installing application Windows- ApplicationModel- Store-SDK 5 5 Search query strings (e.g. query=twitter)
Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-AppXDeploymentServer%4Operational.evtx Source EventID Category Function Microsoft- Windows- AppXDeploy ment-Server 10002 3 Application deployment
Prefetch • Location of Prefetch files: ▫ WindowsPrefetch
Shellbags • NTUSER.dat ▫ SOFTWAREMicrosoftWindowsShellBags • UsrClass.dat
LNK Shortcuts • LNK format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Useful fields: ▫ Hostname ▫ MAC Address ▫ Volume ID ▫ Owner SID ▫ MAC Times
Thumbcache • Location of Thumbcache files: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsExplorer
Recycle Bin • Recycle Bin artefacts have not changed ▫ $I  Still provides original file name and path ▫ $R  Original file
Volume Shadow Copies • vssadmin tool still provides list of current VSCs
Windows Indexing Service • Windows indexing service is an evidentiary gold mine ▫ Potentially storing emails and other binary items  Great as dictionary list for password cracking • Stored in an .EDB file ▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X- Ways Forensics  If “dirty” dismount, need to use esentutl.exe • In Windows 10 stored in the following directory: ▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo wsWindows.edb
Cortana • Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content ▫ Can set reminders ▫ Can initiate contact (e.g. write emails) • Cortana Databases (EDBs): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp pDataIndexed DBIndexedDB.edb ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat  Interesting Tables:  LocationTriggers ▫ Latitude/Longitude and Name of place results  Geofences ▫ Latitude/Longitude for where location based reminders are triggered  Reminders ▫ Creation and completion time (UNIX numeric value)
Cortana • The following databases contain a list of contacts synched from email accounts: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx t
Notification Centre • The following databases contain a list of notifications: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsNotificationsappdb.dat  Toast notifications are stored in embedded XML
Picture Password • “Picture Password” is an alternate login method where gestures on top of a picture are used as a password • This registry key details the path to the location of the “Picture Password” file: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionAuthenticationLogonUIPicturePassworduser_GUID • Path of locally stored Picture Password file: ▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe adOnlyPicturePasswordbackground.png
Part 2
Applications (Apps) • Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode • Apps are installed in the following directory: ▫ Program FilesWindowsApps • Settings and configuration DBs are located in following directories: ▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt ate  Two DB formats:  SQLite DBs (.SQL)  Jet DBs (.EDB)
Windows Store • Apps are purchased/installed via the Windows Store • During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps) • Registry key of installed applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreApplications • List of deleted applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreDeleted
Edge Browser • New web browser and rendering engine (Spartan) • Same as IE10, records no longer stored in Index.DAT files, stored in EDB • Edge settings are stored in the following file: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb • Edge cache stored in the following directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M icrosoftEdgeCache • Last active browsing session stored: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft EdgeUserDefaultRecoveryActive
Browser History Records • Edge (and IE) history records stored in the following database: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat  This is actually an .EDB file  Can be interpreted by EseDbViewer or ESEDatabaseView  Might be a “dirty” dismount, need to use esentutl.exe  Database also stores Cookies
Internet Explorer (legacy) • Internet Cache stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCache • Internet Cookies stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCookies
Email (Mail application) • Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools ▫ Stored in the following directory:  Usersuser_nameAppDataLocalCommsUnistoredata • Metadata of emails are stored in the following DB (EDB format): ▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol  Attachments  Email header  Contact information
Unified Communication • Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): ▫ Appears to be scaled back from Windows 8.x (less integrated as previous People App) • UC settings are stored in the following DB: ▫ Usersuser_nameAppDataLocalPackagesmicro soft.windowscommunicationsapps…LocalStatelivec omm.edb
Unified Communication • Interesting Tables: ▫ Account  SourceID  List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)  DomainTag  Username for each account ▫ Contact  List of synched contacts across all account platforms ▫ Event  Calendar entries (including birthdays of contacts if synched to Windows Live) and locations ▫ MeContact  Further details about owner accounts ▫ Person and PersonLink  Further details about each contact including what account they link back to (e.g Skype)
Unified Communication • Locally cached contact entries are stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx PeopleAddressBook • Contact photos are stored in this directory (JPGs): ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
Twitter App • History DB located in following file: ▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite • SQLite3 format DB ▫ 11 Tables in DB  Relevant tables:  messages – holds tweets & DMs  search_queries – holds searches conducted in Twitter app by user  statuses – lists latest tweets from accounts being followed  users – lists user account and accounts being followed by user
Twitter App • Settings located in file: ▫ Usersuser_nameAppDataLocalPackagesxx xxx.Twitter_xxxxSettingssettings.dat  Includes user name (@xxxxx)  Details on profile picture URL  Twitter ID number
Skype App (legacy) • The Skype App was discontinued with Windows 10 ▫ Windows 10 prompts you to download the desktop Skype application
OneDrive App • Built-in by default, API allows all programs to save files in OneDrive • List of Synced items located in file: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsOneDrivesettingsxxxxxxxx.dat • Locally cached items are stored in directory: ▫ Usersuser_nameOneDrive
Microsoft Office Apps • With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps ▫ If you have a valid Office365 account then you can edit and create documents  Otherwise these Apps are read-only
Word App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
Excel App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
PowerPoint App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru ServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
OneNote App • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of fice.OneNote_xxxxLocalStateAppDataLocalOneNote1 6.0 • Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
Maps App • Recent places stored in this file (XML): ▫ Usersuser_nameAppDataLocalPackagesM icrosoft.WindowsMaps_xxxxLocalStateGraph xxxxMe00000000.ttl  Latitude/Longitude  Dates modified (searched)
Part 3
Memory Acquisition • WinPMEM (tested versions 1.6.2 & 2.0.1) ▫ Run as Administrator  Has to extract driver to local temp location  V1.6.2 running process ~10MB  V2.0.1 running process ~80MB • FTK Imager ▫ Run as Administrator  Running process ~15MB
Live Disk Acquisition • FTK Imager ▫ Can be used for Physical or Logical acquisition • X-Ways Forensics ▫ Can be used for Physical or Logical acquisition
Resources • FTK Imager ▫ http://accessdata.com/product-download?/support/product- downloads • Nirsoft ESEDatabaseView ▫ http://www.nirsoft.net/utils/ese_database_view.html • RegistryBrowser ▫ https://lockandcode.com/software/registry_browser • WinPMEM ▫ https://github.com/google/rekall/releases

Recommended

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 

Recommended

Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Log Analysis
Log AnalysisLog Analysis
Log AnalysisNSConclave
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systemsprimeteacher32
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer ForensicsOne97 Communications Limited
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 

More Related Content

What's hot

Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)securitySam Bowne
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 

What's hot (20)

Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Computer Forensics
Computer ForensicsComputer Forensics
Computer Forensics
 

Viewers also liked

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Raidprep
RaidprepRaidprep
RaidprepCTIN
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management PresentationSgtMasterGunz
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows RegistryChandra Pr. Singh
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumOWASP Khartoum
 
F Database
F DatabaseF Database
F DatabaseCTIN
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on TwitterYansi Keim
 
Live Forensics
Live ForensicsLive Forensics
Live ForensicsCTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGEduardo Chavarro
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformBasis Technology
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!Nearpod
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector ConcernsCTIN
 

Viewers also liked (20)

Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Raidprep
RaidprepRaidprep
Raidprep
 
File Management Presentation
File Management PresentationFile Management Presentation
File Management Presentation
 
Cheatsheet of msdos
Cheatsheet of msdosCheatsheet of msdos
Cheatsheet of msdos
 
www.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registrywww.indonezia.net Hacking Windows Registry
www.indonezia.net Hacking Windows Registry
 
Computer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP KhartoumComputer forensic 101 - OWASP Khartoum
Computer forensic 101 - OWASP Khartoum
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
F Database
F DatabaseF Database
F Database
 
Forensic Anaysis on Twitter
Forensic Anaysis on TwitterForensic Anaysis on Twitter
Forensic Anaysis on Twitter
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Netcat cheat sheet
Netcat cheat sheetNetcat cheat sheet
Netcat cheat sheet
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics PlatformAutopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
File system
File systemFile system
File system
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
Part6 Private Sector Concerns
Part6 Private Sector ConcernsPart6 Private Sector Concerns
Part6 Private Sector Concerns
 

Similar to Windows 10 Forensics: OS Evidentiary Artefacts

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Brent Muir
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsMarco Alamanni
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Windows 10 Data Recovery
Windows 10 Data RecoveryWindows 10 Data Recovery
Windows 10 Data RecoveryRemo Recover
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewInformation Technology
 
Unesco information storage and retrievals tools
Unesco information storage and retrievals toolsUnesco information storage and retrievals tools
Unesco information storage and retrievals toolsLiaquat Rahoo
 
Bri forum advanced web interface customizations
Bri forum advanced web interface customizationsBri forum advanced web interface customizations
Bri forum advanced web interface customizationsCCOSTAN
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007KarlFrank99
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8David Chou
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupaldrupalsydney
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 

Similar to Windows 10 Forensics: OS Evidentiary Artefacts (20)

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0Windows RT Evidentiary Artefacts 1.0
Windows RT Evidentiary Artefacts 1.0
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
Windows 10 Data Recovery
Windows 10 Data RecoveryWindows 10 Data Recovery
Windows 10 Data Recovery
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration Overview
 
windows.pptx
windows.pptxwindows.pptx
windows.pptx
 
Scaling / optimizing search on netlog
Scaling / optimizing search on netlogScaling / optimizing search on netlog
Scaling / optimizing search on netlog
 
Unesco information storage and retrievals tools
Unesco information storage and retrievals toolsUnesco information storage and retrievals tools
Unesco information storage and retrievals tools
 
Bri forum advanced web interface customizations
Bri forum advanced web interface customizationsBri forum advanced web interface customizations
Bri forum advanced web interface customizations
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
 
Where to save my data, for devs!
Where to save my data, for devs!Where to save my data, for devs!
Where to save my data, for devs!
 
Internet Explorer 8
Internet Explorer 8Internet Explorer 8
Internet Explorer 8
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X Systems
 
Windows 1809 Timeline
Windows 1809 TimelineWindows 1809 Timeline
Windows 1809 Timeline
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal Implemeting Sencha Ext JS in Drupal
Implemeting Sencha Ext JS in Drupal
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 

More from Brent Muir

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksBrent Muir
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security IssuesBrent Muir
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersBrent Muir
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013Brent Muir
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013Brent Muir
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBrent Muir
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013Brent Muir
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 

More from Brent Muir (14)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityVictorSzoltysek
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 

Recently uploaded (20)

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

Windows 10 Forensics: OS Evidentiary Artefacts

  • 1. Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
  • 2. Topics OS Artefacts : ▫ File Systems / Partitions ▫ Registry Hives ▫ Event Logs ▫ Prefetch ▫ Shellbags ▫ LNK Shortcuts ▫ Thumbcache ▫ Recycle Bin ▫ Volume Shadow Copies ▫ Windows Indexing Service ▫ Cortana (Search) ▫ Notification Centre ▫ Picture Password Application Artefacts: ▫ Windows Store ▫ Edge Browser (previously Spartan)  Legacy Internet Explorer ▫ Email (Mail application) ▫ Unified Communication  Twitter  Skype  OneDrive ▫ Microsoft Office Apps  Word  Excel  PowerPoint  OneNote ▫ Maps
  • 4. File Systems / Partitions • Supported File Systems: ▫ NTFS, Fat32, ExFat • Default Partition structure: ▫ “Windows” – core OS (NTFS) ▫ “Recovery” (NTFS) ▫ “Reserved” ▫ “System” – UEFI (Fat32) ▫ “Recovery Image” (NTFS)
  • 5. Registry Hives • Registry hives format has not changed ▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.) • Location of important registry hives: ▫ Usersuser_nameNTUSER.DAT ▫ WindowsSystem32configDEFAULT ▫ WindowsSystem32configSAM ▫ WindowsSystem32configSECURITY ▫ WindowsSystem32configSOFTWARE ▫ WindowsSystem32configSYSTEM
  • 6. Event Logs • EVTX log format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Location of EVTX logs: ▫ WindowsSystem32winevtLogs
  • 7. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-Store%4Operational.evtx Source EventID Category Function Microsoft- Windows-Install- Agent 2002 2001 Installing application Windows- ApplicationModel- Store-SDK 5 5 Search query strings (e.g. query=twitter)
  • 8. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-AppXDeploymentServer%4Operational.evtx Source EventID Category Function Microsoft- Windows- AppXDeploy ment-Server 10002 3 Application deployment
  • 9. Prefetch • Location of Prefetch files: ▫ WindowsPrefetch
  • 11. LNK Shortcuts • LNK format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Useful fields: ▫ Hostname ▫ MAC Address ▫ Volume ID ▫ Owner SID ▫ MAC Times
  • 12. Thumbcache • Location of Thumbcache files: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsExplorer
  • 13. Recycle Bin • Recycle Bin artefacts have not changed ▫ $I  Still provides original file name and path ▫ $R  Original file
  • 14. Volume Shadow Copies • vssadmin tool still provides list of current VSCs
  • 15. Windows Indexing Service • Windows indexing service is an evidentiary gold mine ▫ Potentially storing emails and other binary items  Great as dictionary list for password cracking • Stored in an .EDB file ▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X- Ways Forensics  If “dirty” dismount, need to use esentutl.exe • In Windows 10 stored in the following directory: ▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo wsWindows.edb
  • 16. Cortana • Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content ▫ Can set reminders ▫ Can initiate contact (e.g. write emails) • Cortana Databases (EDBs): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp pDataIndexed DBIndexedDB.edb ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat  Interesting Tables:  LocationTriggers ▫ Latitude/Longitude and Name of place results  Geofences ▫ Latitude/Longitude for where location based reminders are triggered  Reminders ▫ Creation and completion time (UNIX numeric value)
  • 17. Cortana • The following databases contain a list of contacts synched from email accounts: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx t
  • 18. Notification Centre • The following databases contain a list of notifications: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsNotificationsappdb.dat  Toast notifications are stored in embedded XML
  • 19. Picture Password • “Picture Password” is an alternate login method where gestures on top of a picture are used as a password • This registry key details the path to the location of the “Picture Password” file: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionAuthenticationLogonUIPicturePassworduser_GUID • Path of locally stored Picture Password file: ▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe adOnlyPicturePasswordbackground.png
  • 21. Applications (Apps) • Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode • Apps are installed in the following directory: ▫ Program FilesWindowsApps • Settings and configuration DBs are located in following directories: ▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt ate  Two DB formats:  SQLite DBs (.SQL)  Jet DBs (.EDB)
  • 22. Windows Store • Apps are purchased/installed via the Windows Store • During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps) • Registry key of installed applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreApplications • List of deleted applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreDeleted
  • 23. Edge Browser • New web browser and rendering engine (Spartan) • Same as IE10, records no longer stored in Index.DAT files, stored in EDB • Edge settings are stored in the following file: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb • Edge cache stored in the following directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M icrosoftEdgeCache • Last active browsing session stored: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft EdgeUserDefaultRecoveryActive
  • 24. Browser History Records • Edge (and IE) history records stored in the following database: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat  This is actually an .EDB file  Can be interpreted by EseDbViewer or ESEDatabaseView  Might be a “dirty” dismount, need to use esentutl.exe  Database also stores Cookies
  • 25. Internet Explorer (legacy) • Internet Cache stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCache • Internet Cookies stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCookies
  • 26. Email (Mail application) • Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools ▫ Stored in the following directory:  Usersuser_nameAppDataLocalCommsUnistoredata • Metadata of emails are stored in the following DB (EDB format): ▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol  Attachments  Email header  Contact information
  • 27. Unified Communication • Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): ▫ Appears to be scaled back from Windows 8.x (less integrated as previous People App) • UC settings are stored in the following DB: ▫ Usersuser_nameAppDataLocalPackagesmicro soft.windowscommunicationsapps…LocalStatelivec omm.edb
  • 28. Unified Communication • Interesting Tables: ▫ Account  SourceID  List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)  DomainTag  Username for each account ▫ Contact  List of synched contacts across all account platforms ▫ Event  Calendar entries (including birthdays of contacts if synched to Windows Live) and locations ▫ MeContact  Further details about owner accounts ▫ Person and PersonLink  Further details about each contact including what account they link back to (e.g Skype)
  • 29. Unified Communication • Locally cached contact entries are stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx PeopleAddressBook • Contact photos are stored in this directory (JPGs): ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
  • 30. Twitter App • History DB located in following file: ▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite • SQLite3 format DB ▫ 11 Tables in DB  Relevant tables:  messages – holds tweets & DMs  search_queries – holds searches conducted in Twitter app by user  statuses – lists latest tweets from accounts being followed  users – lists user account and accounts being followed by user
  • 31. Twitter App • Settings located in file: ▫ Usersuser_nameAppDataLocalPackagesxx xxx.Twitter_xxxxSettingssettings.dat  Includes user name (@xxxxx)  Details on profile picture URL  Twitter ID number
  • 32. Skype App (legacy) • The Skype App was discontinued with Windows 10 ▫ Windows 10 prompts you to download the desktop Skype application
  • 33. OneDrive App • Built-in by default, API allows all programs to save files in OneDrive • List of Synced items located in file: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsOneDrivesettingsxxxxxxxx.dat • Locally cached items are stored in directory: ▫ Usersuser_nameOneDrive
  • 34. Microsoft Office Apps • With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps ▫ If you have a valid Office365 account then you can edit and create documents  Otherwise these Apps are read-only
  • 35. Word App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 36. Excel App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 37. PowerPoint App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru ServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  • 38. OneNote App • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of fice.OneNote_xxxxLocalStateAppDataLocalOneNote1 6.0 • Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
  • 39. Maps App • Recent places stored in this file (XML): ▫ Usersuser_nameAppDataLocalPackagesM icrosoft.WindowsMaps_xxxxLocalStateGraph xxxxMe00000000.ttl  Latitude/Longitude  Dates modified (searched)
  • 41. Memory Acquisition • WinPMEM (tested versions 1.6.2 & 2.0.1) ▫ Run as Administrator  Has to extract driver to local temp location  V1.6.2 running process ~10MB  V2.0.1 running process ~80MB • FTK Imager ▫ Run as Administrator  Running process ~15MB
  • 42. Live Disk Acquisition • FTK Imager ▫ Can be used for Physical or Logical acquisition • X-Ways Forensics ▫ Can be used for Physical or Logical acquisition
  • 43. Resources • FTK Imager ▫ http://accessdata.com/product-download?/support/product- downloads • Nirsoft ESEDatabaseView ▫ http://www.nirsoft.net/utils/ese_database_view.html • RegistryBrowser ▫ https://lockandcode.com/software/registry_browser • WinPMEM ▫ https://github.com/google/rekall/releases

Editor's Notes

  1. Virtualising a stored image
  2. Connected WiFi networks   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ \ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{5352E92B-EE0A-4E57-B761-A775DDE0A317}\
  3. Windows 10 shipped with IE11 (and Edge) - Legacy mode X-Ways can also interpret EDB
  4. Windows 8 shipped with IE10, now able to get IE11 X-Ways can also interpret EDB
  5. Cheat sheet