SlideShare a Scribd company logo

Windows RT Evidentiary Artefacts 1.0

•
•
Brent Muir
Brent Muir

Artefacts from Microsoft Windows RT (ARM) OS

Technology
1 of 9
Download to read offline
OS Evidentiary Artefacts Version 1.0 Brent Muir – 2013 http://au.linkedin.com/in/brentmuir
 File Systems / Partitions  Registry Hives  Email (Mail application)  Internet Explorer  Unified Communication  3rd Party Applications  Picture Password
 Supported File Systems:  NTFS, Fat32, ExFat  Default Partition structure:  “Windows” – core OS (NTFS)  “Recovery” (NTFS)  “Reserved”  “System” – UEFI (Fat32)  “Recovery Image” (NTFS)
 Registry hives are a standard format  Can be examined with numerous tools (e.g.. RegistryBrowser, Registry Viewer, etc.)  Location of important registry hives: ▪ Usersuser_nameNTUSER.DAT ▪ WindowsSystem32configDEFAULT ▪ WindowsSystem32configSAM ▪ WindowsSystem32configSECURITY ▪ WindowsSystem32configSOFTWARE ▪ WindowsSystem32configSYSTEM
 Emails & contacts are stored in .EML format  Can be analysed by a number of tools  Stored in the following directory:  Usersuser_nameAppDataLocalPackagesmicr osoft.windowscommunicationsapps...LocalState
 No longer stored in Index.dat files  IE history records stored in the following file:  Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat ▪ This is actually an .edb file ▪ Can be interpreted by EseDbViewer or ESEDatabaseView
 Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): Facebook Flickr Google LinkedIn MySpace Sina Weibo Twitter Outlook Messenger Hotmail Skype Yahoo! QQ AOL Yahoo! JAPAN Orange  UC settings are stored in the following DB:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStatelivecom m.edb  Locally cached entries (e.g. Email or Twitter messages) are stored in this directory:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStateIndexed LiveComm
 3rd part applications are stored in the following directory:  Program FilesWindowsApps  Settings and configuration DBs are located in following directories:  Usersuser_nameAppDataLocalPackagespackage_nameLo calState  Two DB formats: ▪ SQLite DBs ▪ Jet DBs (.edb)  Registry key of installed applications:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAppxAppxAllUserStoreApplications
 “Picture Password” is an alternate login method where gestures on top of a picture are used as a password  This registry key details the path to the location of the “Picture Password” file:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAuthenticationLogonUIPicturePassworduser_GUID  Path of locally stored Picture Password file:  C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDR eadOnlyPicturePasswordbackground.png

Recommended

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 

Recommended

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
CTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
CTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4
CTIN
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
Brent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
Reality Net System Solutions
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
Prince Boonlia
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha Ä°slam YILMAZ
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Windows 2000
Windows 2000Windows 2000
Windows 2000
pramila kanagaraj
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
KarlFrank99
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
Mike Spaulding
 
Windows profile how do i
Windows profile how do iWindows profile how do i
Windows profile how do i
proser tech
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 

More Related Content

What's hot

Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
Brent Muir
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
somutripathi
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
CTIN
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
CTIN
 

What's hot (20)

Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 2000
Windows 2000Windows 2000
Windows 2000
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 

Similar to Windows RT Evidentiary Artefacts 1.0

Operatingsystems
Operatingsystems Operatingsystems
Operatingsystems
kuldeepy60
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration Overview
Information Technology
 
Air Set Overview
Air Set OverviewAir Set Overview
Air Set Overview
BrianDoc
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2
KapiL RawaT
 
Topic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptxTopic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptx
AyeCS11
 

Similar to Windows RT Evidentiary Artefacts 1.0 (20)

Windows profile how do i
Windows profile how do iWindows profile how do i
Windows profile how do i
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
Operatingsystems
Operatingsystems Operatingsystems
Operatingsystems
 
Lab2 ppt
Lab2 pptLab2 ppt
Lab2 ppt
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Operating systems
Operating systemsOperating systems
Operating systems
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration Overview
 
Air Set Overview
Air Set OverviewAir Set Overview
Air Set Overview
 
Windows profile
Windows profileWindows profile
Windows profile
 
Windows profile
Windows profileWindows profile
Windows profile
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
Functions of OS.ppt
Functions of OS.ppt Functions of OS.ppt
Functions of OS.ppt
 
Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real World
 
Operating system windows XP
Operating system windows XPOperating system windows XP
Operating system windows XP
 
csc103 software review
csc103 software reviewcsc103 software review
csc103 software review
 
Topic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptxTopic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptx
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptx
 

More from Brent Muir

More from Brent Muir (12)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Windows RT Evidentiary Artefacts 1.0

  • 1. OS Evidentiary Artefacts Version 1.0 Brent Muir – 2013 http://au.linkedin.com/in/brentmuir
  • 2.  File Systems / Partitions  Registry Hives  Email (Mail application)  Internet Explorer  Unified Communication  3rd Party Applications  Picture Password
  • 3.  Supported File Systems:  NTFS, Fat32, ExFat  Default Partition structure:  “Windows” – core OS (NTFS)  “Recovery” (NTFS)  “Reserved”  “System” – UEFI (Fat32)  “Recovery Image” (NTFS)
  • 4.  Registry hives are a standard format  Can be examined with numerous tools (e.g.. RegistryBrowser, Registry Viewer, etc.)  Location of important registry hives: â–Ş Usersuser_nameNTUSER.DAT â–Ş WindowsSystem32configDEFAULT â–Ş WindowsSystem32configSAM â–Ş WindowsSystem32configSECURITY â–Ş WindowsSystem32configSOFTWARE â–Ş WindowsSystem32configSYSTEM
  • 5.  Emails & contacts are stored in .EML format  Can be analysed by a number of tools  Stored in the following directory:  Usersuser_nameAppDataLocalPackagesmicr osoft.windowscommunicationsapps...LocalState
  • 6.  No longer stored in Index.dat files  IE history records stored in the following file:  Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat â–Ş This is actually an .edb file â–Ş Can be interpreted by EseDbViewer or ESEDatabaseView
  • 7.  Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): Facebook Flickr Google LinkedIn MySpace Sina Weibo Twitter Outlook Messenger Hotmail Skype Yahoo! QQ AOL Yahoo! JAPAN Orange  UC settings are stored in the following DB:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStatelivecom m.edb  Locally cached entries (e.g. Email or Twitter messages) are stored in this directory:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStateIndexed LiveComm
  • 8.  3rd part applications are stored in the following directory:  Program FilesWindowsApps  Settings and configuration DBs are located in following directories:  Usersuser_nameAppDataLocalPackagespackage_nameLo calState  Two DB formats: â–Ş SQLite DBs â–Ş Jet DBs (.edb)  Registry key of installed applications:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAppxAppxAllUserStoreApplications
  • 9.  “Picture Password” is an alternate login method where gestures on top of a picture are used as a password  This registry key details the path to the location of the “Picture Password” file:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAuthenticationLogonUIPicturePassworduser_GUID  Path of locally stored Picture Password file:  C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDR eadOnlyPicturePasswordbackground.png