Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Windows 10
Forensics
OS Evidentiary
Artefacts
Version 1.5 (Build 10240)
Brent Muir – 2015
Topics
OS Artefacts :
▫ File Systems / Partitions
▫ Registry Hives
▫ Event Logs
▫ Prefetch
▫ Shellbags
▫ LNK Shortcuts
▫ T...
Part 1
File Systems / Partitions
• Supported File Systems:
▫ NTFS, Fat32, ExFat
• Default Partition structure:
▫ “Windows” – core...
Registry Hives
• Registry hives format has not changed
▫ Can be examined with numerous tools
(e.g. RegistryBrowser, Regist...
Event Logs
• EVTX log format has not changed
▫ Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
• Locatio...
Event Logs – Windows Store
• WindowsSystem32winevtLogsMicrosoft-
Windows-Store%4Operational.evtx
Source EventID Category F...
Event Logs – Windows Store
• WindowsSystem32winevtLogsMicrosoft-
Windows-AppXDeploymentServer%4Operational.evtx
Source Eve...
Prefetch
• Location of Prefetch files:
▫ WindowsPrefetch
Shellbags
• NTUSER.dat
▫ SOFTWAREMicrosoftWindowsShellBags
• UsrClass.dat
LNK Shortcuts
• LNK format has not changed
▫ Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
• Useful fi...
Thumbcache
• Location of Thumbcache files:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsExplorer
Recycle Bin
• Recycle Bin artefacts have not changed
▫ $I
 Still provides original file name and path
▫ $R
 Original file
Volume Shadow Copies
• vssadmin tool still provides list of current VSCs
Windows Indexing Service
• Windows indexing service is an evidentiary gold mine
▫ Potentially storing emails and other bin...
Cortana
• Windows 10 features “Cortana”, a personal assistant, which expands upon the unified
search platform introduced i...
Cortana
• The following databases contain a list of contacts
synched from email accounts:
▫ Usersuser_nameAppDataLocalPack...
Notification Centre
• The following databases contain a list of
notifications:
▫ Usersuser_nameAppDataLocalMicrosoftW
indo...
Picture Password
• “Picture Password” is an alternate login method where
gestures on top of a picture are used as a passwo...
Part 2
Applications (Apps)
• Applications (Apps) that utilise the Metro Modern UI are treated
differently to programs that work i...
Windows Store
• Apps are purchased/installed via the Windows Store
• During the Insider Preview their was a Beta Store
whi...
Edge Browser
• New web browser and rendering engine (Spartan)
• Same as IE10, records no longer stored in Index.DAT files,...
Browser History Records
• Edge (and IE) history records stored in the following
database:
▫ Usersuser_nameAppDataLocalMicr...
Internet Explorer (legacy)
• Internet Cache stored in this directory:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsINetCac...
Email (Mail application)
• Body of emails are stored in TXT or HTML format
▫ Can be analysed by a number of tools
▫ Stored...
Unified Communication
• Unified Communication (UC) is a built-in Microsoft
application that brings together all of the fol...
Unified Communication
• Interesting Tables:
▫ Account
 SourceID
 List of accounts (e.g WL = Windows Live, Skype, TWITR, ...
Unified Communication
• Locally cached contact entries are stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesm...
Twitter App
• History DB located in following file:
▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte
r_xxxxxxxLocalStatetwi...
Twitter App
• Settings located in file:
▫ Usersuser_nameAppDataLocalPackagesxx
xxx.Twitter_xxxxSettingssettings.dat
 Incl...
Skype App (legacy)
• The Skype App was discontinued with Windows
10
▫ Windows 10 prompts you to download the desktop
Skype...
OneDrive App
• Built-in by default, API allows all programs to save
files in OneDrive
• List of Synced items located in fi...
Microsoft Office Apps
• With the release of the Windows Insider
program Microsoft introduced the Office Mobile
Apps
▫ If y...
Word App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Off...
Excel App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Of...
PowerPoint App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosof...
OneNote App
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of
fice.OneNote_xxxxLoc...
Maps App
• Recent places stored in this file (XML):
▫ Usersuser_nameAppDataLocalPackagesM
icrosoft.WindowsMaps_xxxxLocalSt...
Part 3
Memory Acquisition
• WinPMEM (tested versions 1.6.2 & 2.0.1)
▫ Run as Administrator
 Has to extract driver to local temp ...
Live Disk Acquisition
• FTK Imager
▫ Can be used for Physical or Logical acquisition
• X-Ways Forensics
▫ Can be used for ...
Resources
• FTK Imager
▫ http://accessdata.com/product-download?/support/product-
downloads
• Nirsoft ESEDatabaseView
▫ ht...
Upcoming SlideShare
Loading in …5
×

Windows 10 Forensics: OS Evidentiary Artefacts

60,376 views

Published on

OS and application forensic artefacts related to Windows 10.

Published in: Technology

Windows 10 Forensics: OS Evidentiary Artefacts

  1. 1. Windows 10 Forensics OS Evidentiary Artefacts Version 1.5 (Build 10240) Brent Muir – 2015
  2. 2. Topics OS Artefacts : ▫ File Systems / Partitions ▫ Registry Hives ▫ Event Logs ▫ Prefetch ▫ Shellbags ▫ LNK Shortcuts ▫ Thumbcache ▫ Recycle Bin ▫ Volume Shadow Copies ▫ Windows Indexing Service ▫ Cortana (Search) ▫ Notification Centre ▫ Picture Password Application Artefacts: ▫ Windows Store ▫ Edge Browser (previously Spartan)  Legacy Internet Explorer ▫ Email (Mail application) ▫ Unified Communication  Twitter  Skype  OneDrive ▫ Microsoft Office Apps  Word  Excel  PowerPoint  OneNote ▫ Maps
  3. 3. Part 1
  4. 4. File Systems / Partitions • Supported File Systems: ▫ NTFS, Fat32, ExFat • Default Partition structure: ▫ “Windows” – core OS (NTFS) ▫ “Recovery” (NTFS) ▫ “Reserved” ▫ “System” – UEFI (Fat32) ▫ “Recovery Image” (NTFS)
  5. 5. Registry Hives • Registry hives format has not changed ▫ Can be examined with numerous tools (e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.) • Location of important registry hives: ▫ Usersuser_nameNTUSER.DAT ▫ WindowsSystem32configDEFAULT ▫ WindowsSystem32configSAM ▫ WindowsSystem32configSECURITY ▫ WindowsSystem32configSOFTWARE ▫ WindowsSystem32configSYSTEM
  6. 6. Event Logs • EVTX log format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Location of EVTX logs: ▫ WindowsSystem32winevtLogs
  7. 7. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-Store%4Operational.evtx Source EventID Category Function Microsoft- Windows-Install- Agent 2002 2001 Installing application Windows- ApplicationModel- Store-SDK 5 5 Search query strings (e.g. query=twitter)
  8. 8. Event Logs – Windows Store • WindowsSystem32winevtLogsMicrosoft- Windows-AppXDeploymentServer%4Operational.evtx Source EventID Category Function Microsoft- Windows- AppXDeploy ment-Server 10002 3 Application deployment
  9. 9. Prefetch • Location of Prefetch files: ▫ WindowsPrefetch
  10. 10. Shellbags • NTUSER.dat ▫ SOFTWAREMicrosoftWindowsShellBags • UsrClass.dat
  11. 11. LNK Shortcuts • LNK format has not changed ▫ Can be examined with numerous tools (e.g. X-Ways Forensics, etc.) • Useful fields: ▫ Hostname ▫ MAC Address ▫ Volume ID ▫ Owner SID ▫ MAC Times
  12. 12. Thumbcache • Location of Thumbcache files: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsExplorer
  13. 13. Recycle Bin • Recycle Bin artefacts have not changed ▫ $I  Still provides original file name and path ▫ $R  Original file
  14. 14. Volume Shadow Copies • vssadmin tool still provides list of current VSCs
  15. 15. Windows Indexing Service • Windows indexing service is an evidentiary gold mine ▫ Potentially storing emails and other binary items  Great as dictionary list for password cracking • Stored in an .EDB file ▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X- Ways Forensics  If “dirty” dismount, need to use esentutl.exe • In Windows 10 stored in the following directory: ▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo wsWindows.edb
  16. 16. Cortana • Windows 10 features “Cortana”, a personal assistant, which expands upon the unified search platform introduced in Windows 8, ▫ Search encompasses local files, Windows Store & online content ▫ Can set reminders ▫ Can initiate contact (e.g. write emails) • Cortana Databases (EDBs): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp pDataIndexed DBIndexedDB.edb ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat  Interesting Tables:  LocationTriggers ▫ Latitude/Longitude and Name of place results  Geofences ▫ Latitude/Longitude for where location based reminders are triggered  Reminders ▫ Creation and completion time (UNIX numeric value)
  17. 17. Cortana • The following databases contain a list of contacts synched from email accounts: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx t
  18. 18. Notification Centre • The following databases contain a list of notifications: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsNotificationsappdb.dat  Toast notifications are stored in embedded XML
  19. 19. Picture Password • “Picture Password” is an alternate login method where gestures on top of a picture are used as a password • This registry key details the path to the location of the “Picture Password” file: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionAuthenticationLogonUIPicturePassworduser_GUID • Path of locally stored Picture Password file: ▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe adOnlyPicturePasswordbackground.png
  20. 20. Part 2
  21. 21. Applications (Apps) • Applications (Apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode • Apps are installed in the following directory: ▫ Program FilesWindowsApps • Settings and configuration DBs are located in following directories: ▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt ate  Two DB formats:  SQLite DBs (.SQL)  Jet DBs (.EDB)
  22. 22. Windows Store • Apps are purchased/installed via the Windows Store • During the Insider Preview their was a Beta Store which contained Windows 10 –compatible Apps (e.g. Microsoft Office Apps) • Registry key of installed applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreApplications • List of deleted applications: ▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp xAppxAllUserStoreDeleted
  23. 23. Edge Browser • New web browser and rendering engine (Spartan) • Same as IE10, records no longer stored in Index.DAT files, stored in EDB • Edge settings are stored in the following file: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb • Edge cache stored in the following directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M icrosoftEdgeCache • Last active browsing session stored: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft EdgeUserDefaultRecoveryActive
  24. 24. Browser History Records • Edge (and IE) history records stored in the following database: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat  This is actually an .EDB file  Can be interpreted by EseDbViewer or ESEDatabaseView  Might be a “dirty” dismount, need to use esentutl.exe  Database also stores Cookies
  25. 25. Internet Explorer (legacy) • Internet Cache stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCache • Internet Cookies stored in this directory: ▫ Usersuser_nameAppDataLocalMicrosoftW indowsINetCookies
  26. 26. Email (Mail application) • Body of emails are stored in TXT or HTML format ▫ Can be analysed by a number of tools ▫ Stored in the following directory:  Usersuser_nameAppDataLocalCommsUnistoredata • Metadata of emails are stored in the following DB (EDB format): ▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol  Attachments  Email header  Contact information
  27. 27. Unified Communication • Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): ▫ Appears to be scaled back from Windows 8.x (less integrated as previous People App) • UC settings are stored in the following DB: ▫ Usersuser_nameAppDataLocalPackagesmicro soft.windowscommunicationsapps…LocalStatelivec omm.edb
  28. 28. Unified Communication • Interesting Tables: ▫ Account  SourceID  List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)  DomainTag  Username for each account ▫ Contact  List of synched contacts across all account platforms ▫ Event  Calendar entries (including birthdays of contacts if synched to Windows Live) and locations ▫ MeContact  Further details about owner accounts ▫ Person and PersonLink  Further details about each contact including what account they link back to (e.g Skype)
  29. 29. Unified Communication • Locally cached contact entries are stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx PeopleAddressBook • Contact photos are stored in this directory (JPGs): ▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
  30. 30. Twitter App • History DB located in following file: ▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite • SQLite3 format DB ▫ 11 Tables in DB  Relevant tables:  messages – holds tweets & DMs  search_queries – holds searches conducted in Twitter app by user  statuses – lists latest tweets from accounts being followed  users – lists user account and accounts being followed by user
  31. 31. Twitter App • Settings located in file: ▫ Usersuser_nameAppDataLocalPackagesxx xxx.Twitter_xxxxSettingssettings.dat  Includes user name (@xxxxx)  Details on profile picture URL  Twitter ID number
  32. 32. Skype App (legacy) • The Skype App was discontinued with Windows 10 ▫ Windows 10 prompts you to download the desktop Skype application
  33. 33. OneDrive App • Built-in by default, API allows all programs to save files in OneDrive • List of Synced items located in file: ▫ Usersuser_nameAppDataLocalMicrosoftWind owsOneDrivesettingsxxxxxxxx.dat • Locally cached items are stored in directory: ▫ Usersuser_nameOneDrive
  34. 34. Microsoft Office Apps • With the release of the Windows Insider program Microsoft introduced the Office Mobile Apps ▫ If you have a valid Office365 account then you can edit and create documents  Otherwise these Apps are read-only
  35. 35. Word App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Word_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  36. 36. Excel App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateAppDataLocalOffice16.0 MruServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft. Office.Excel_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  37. 37. PowerPoint App • List of recent documents stored in the following file (XML): ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru ServiceCachexxxx_LiveIdExcelDocuments_en-AU • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office. PowerPoint_xxxxLocalStateOfficeFileCache  Files stored as .FSD extension  actually data embedded  Can be manually carved from FSD file
  38. 38. OneNote App • Cached files stored in this directory: ▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of fice.OneNote_xxxxLocalStateAppDataLocalOneNote1 6.0 • Files stored as xxxx.bin extension ▫ Encoded binary files ▫ Embedded graphics such as PNG or JPG
  39. 39. Maps App • Recent places stored in this file (XML): ▫ Usersuser_nameAppDataLocalPackagesM icrosoft.WindowsMaps_xxxxLocalStateGraph xxxxMe00000000.ttl  Latitude/Longitude  Dates modified (searched)
  40. 40. Part 3
  41. 41. Memory Acquisition • WinPMEM (tested versions 1.6.2 & 2.0.1) ▫ Run as Administrator  Has to extract driver to local temp location  V1.6.2 running process ~10MB  V2.0.1 running process ~80MB • FTK Imager ▫ Run as Administrator  Running process ~15MB
  42. 42. Live Disk Acquisition • FTK Imager ▫ Can be used for Physical or Logical acquisition • X-Ways Forensics ▫ Can be used for Physical or Logical acquisition
  43. 43. Resources • FTK Imager ▫ http://accessdata.com/product-download?/support/product- downloads • Nirsoft ESEDatabaseView ▫ http://www.nirsoft.net/utils/ese_database_view.html • RegistryBrowser ▫ https://lockandcode.com/software/registry_browser • WinPMEM ▫ https://github.com/google/rekall/releases

×