This document summarizes evidentiary artifacts found in Windows 10. It describes where to find file systems, registry hives, event logs, prefetch files, shellbags, shortcuts, thumbcache, recycle bin, volume shadows copies, indexing service databases, Cortana databases, notifications, and picture passwords. It also outlines artifacts left by applications like the Windows Store, Edge browser, email, unified communication apps, Office apps, and Maps. Methods for acquiring memory and disk images are provided.

1. Windows 10
Forensics
OS Evidentiary
Artefacts
Version 1.5 (Build 10240)
Brent Muir – 2015

2. Topics
OS Artefacts :
▫ File Systems / Partitions
▫ Registry Hives
▫ Event Logs
▫ Prefetch
▫ Shellbags
▫ LNK Shortcuts
▫ Thumbcache
▫ Recycle Bin
▫ Volume Shadow Copies
▫ Windows Indexing Service
▫ Cortana (Search)
▫ Notification Centre
▫ Picture Password
Application Artefacts:
▫ Windows Store
▫ Edge Browser (previously Spartan)
 Legacy Internet Explorer
▫ Email (Mail application)
▫ Unified Communication
 Twitter
 Skype
 OneDrive
▫ Microsoft Office Apps
 Word
 Excel
 PowerPoint
 OneNote
▫ Maps

3. Part 1

4. File Systems / Partitions
• Supported File Systems:
▫ NTFS, Fat32, ExFat
• Default Partition structure:
▫ “Windows” – core OS (NTFS)
▫ “Recovery” (NTFS)
▫ “Reserved”
▫ “System” – UEFI (Fat32)
▫ “Recovery Image” (NTFS)

5. Registry Hives
• Registry hives format has not changed
▫ Can be examined with numerous tools
(e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.)
• Location of important registry hives:
▫ Usersuser_nameNTUSER.DAT
▫ WindowsSystem32configDEFAULT
▫ WindowsSystem32configSAM
▫ WindowsSystem32configSECURITY
▫ WindowsSystem32configSOFTWARE
▫ WindowsSystem32configSYSTEM

6. Event Logs
• EVTX log format has not changed
▫ Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
• Location of EVTX logs:
▫ WindowsSystem32winevtLogs

7. Event Logs – Windows Store
• WindowsSystem32winevtLogsMicrosoft-
Windows-Store%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-Install-
Agent
2002 2001 Installing application
Windows-
ApplicationModel-
Store-SDK
5 5 Search query strings
(e.g. query=twitter)

8. Event Logs – Windows Store
• WindowsSystem32winevtLogsMicrosoft-
Windows-AppXDeploymentServer%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-
AppXDeploy
ment-Server
10002 3 Application
deployment

9. Prefetch
• Location of Prefetch files:
▫ WindowsPrefetch

10. Shellbags
• NTUSER.dat
▫ SOFTWAREMicrosoftWindowsShellBags
• UsrClass.dat

11. LNK Shortcuts
• LNK format has not changed
▫ Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
• Useful fields:
▫ Hostname
▫ MAC Address
▫ Volume ID
▫ Owner SID
▫ MAC Times

12. Thumbcache
• Location of Thumbcache files:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsExplorer

13. Recycle Bin
• Recycle Bin artefacts have not changed
▫ $I
 Still provides original file name and path
▫ $R
 Original file

14. Volume Shadow Copies
• vssadmin tool still provides list of current VSCs

15. Windows Indexing Service
• Windows indexing service is an evidentiary gold mine
▫ Potentially storing emails and other binary items
 Great as dictionary list for password cracking
• Stored in an .EDB file
▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X-
Ways Forensics
 If “dirty” dismount, need to use esentutl.exe
• In Windows 10 stored in the following directory:
▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo
wsWindows.edb

16. Cortana
• Windows 10 features “Cortana”, a personal assistant, which expands upon the unified
search platform introduced in Windows 8,
▫ Search encompasses local files, Windows Store & online content
▫ Can set reminders
▫ Can initiate contact (e.g. write emails)
• Cortana Databases (EDBs):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp
pDataIndexed DBIndexedDB.edb
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc
alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat
 Interesting Tables:
 LocationTriggers
▫ Latitude/Longitude and Name of place results
 Geofences
▫ Latitude/Longitude for where location based reminders are triggered
 Reminders
▫ Creation and completion time (UNIX numeric value)

17. Cortana
• The following databases contain a list of contacts
synched from email accounts:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx
t

18. Notification Centre
• The following databases contain a list of
notifications:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsNotificationsappdb.dat
 Toast notifications are stored in embedded XML

19. Picture Password
• “Picture Password” is an alternate login method where
gestures on top of a picture are used as a password
• This registry key details the path to the location of the “Picture
Password” file:
▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent
VersionAuthenticationLogonUIPicturePassworduser_GUID
• Path of locally stored Picture Password file:
▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe
adOnlyPicturePasswordbackground.png

20. Part 2

21. Applications (Apps)
• Applications (Apps) that utilise the Metro Modern UI are treated
differently to programs that work in desktop mode
• Apps are installed in the following directory:
▫ Program FilesWindowsApps
• Settings and configuration DBs are located in following directories:
▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt
ate
 Two DB formats:
 SQLite DBs (.SQL)
 Jet DBs (.EDB)

22. Windows Store
• Apps are purchased/installed via the Windows Store
• During the Insider Preview their was a Beta Store
which contained Windows 10 –compatible Apps
(e.g. Microsoft Office Apps)
• Registry key of installed applications:
▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp
xAppxAllUserStoreApplications
• List of deleted applications:
▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp
xAppxAllUserStoreDeleted

23. Edge Browser
• New web browser and rendering engine (Spartan)
• Same as IE10, records no longer stored in Index.DAT files, stored in EDB
• Edge settings are stored in the following file:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso
ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb
• Edge cache stored in the following directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M
icrosoftEdgeCache
• Last active browsing session stored:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft
EdgeUserDefaultRecoveryActive

24. Browser History Records
• Edge (and IE) history records stored in the following
database:
▫ Usersuser_nameAppDataLocalMicrosoftWind
owsWebCacheWebCacheV01.dat
 This is actually an .EDB file
 Can be interpreted by EseDbViewer or
ESEDatabaseView
 Might be a “dirty” dismount, need to use esentutl.exe
 Database also stores Cookies

25. Internet Explorer (legacy)
• Internet Cache stored in this directory:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsINetCache
• Internet Cookies stored in this directory:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsINetCookies

26. Email (Mail application)
• Body of emails are stored in TXT or HTML format
▫ Can be analysed by a number of tools
▫ Stored in the following directory:
 Usersuser_nameAppDataLocalCommsUnistoredata
• Metadata of emails are stored in the following DB (EDB
format):
▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol
 Attachments
 Email header
 Contact information

27. Unified Communication
• Unified Communication (UC) is a built-in Microsoft
application that brings together all of the following social
media platforms (by default):
▫ Appears to be scaled back from Windows 8.x (less
integrated as previous People App)
• UC settings are stored in the following DB:
▫ Usersuser_nameAppDataLocalPackagesmicro
soft.windowscommunicationsapps…LocalStatelivec
omm.edb

28. Unified Communication
• Interesting Tables:
▫ Account
 SourceID
 List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)
 DomainTag
 Username for each account
▫ Contact
 List of synched contacts across all account platforms
▫ Event
 Calendar entries (including birthdays of contacts if synched to Windows Live) and locations
▫ MeContact
 Further details about owner accounts
▫ Person and PersonLink
 Further details about each contact including what account they link back to (e.g Skype)

29. Unified Communication
• Locally cached contact entries are stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom
municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx
PeopleAddressBook
• Contact photos are stored in this directory (JPGs):
▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom
municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles

30. Twitter App
• History DB located in following file:
▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte
r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite
• SQLite3 format DB
▫ 11 Tables in DB
 Relevant tables:
 messages – holds tweets & DMs
 search_queries – holds searches conducted in Twitter app by
user
 statuses – lists latest tweets from accounts being followed
 users – lists user account and accounts being followed by user

31. Twitter App
• Settings located in file:
▫ Usersuser_nameAppDataLocalPackagesxx
xxx.Twitter_xxxxSettingssettings.dat
 Includes user name (@xxxxx)
 Details on profile picture URL
 Twitter ID number

32. Skype App (legacy)
• The Skype App was discontinued with Windows
10
▫ Windows 10 prompts you to download the desktop
Skype application

33. OneDrive App
• Built-in by default, API allows all programs to save
files in OneDrive
• List of Synced items located in file:
▫ Usersuser_nameAppDataLocalMicrosoftWind
owsOneDrivesettingsxxxxxxxx.dat
• Locally cached items are stored in directory:
▫ Usersuser_nameOneDrive

34. Microsoft Office Apps
• With the release of the Windows Insider
program Microsoft introduced the Office Mobile
Apps
▫ If you have a valid Office365 account then you can
edit and create documents
 Otherwise these Apps are read-only

35. Word App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Word_xxxxLocalStateAppDataLocalOffice16.0
MruServiceCachexxxx_LiveIdExcelDocuments_en-AU
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Word_xxxxLocalStateOfficeFileCache
 Files stored as .FSD extension  actually data embedded
 Can be manually carved from FSD file

36. Excel App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Excel_xxxxLocalStateAppDataLocalOffice16.0
MruServiceCachexxxx_LiveIdExcelDocuments_en-AU
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Excel_xxxxLocalStateOfficeFileCache
 Files stored as .FSD extension  actually data embedded
 Can be manually carved from FSD file

37. PowerPoint App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office.
PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru
ServiceCachexxxx_LiveIdExcelDocuments_en-AU
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office.
PowerPoint_xxxxLocalStateOfficeFileCache
 Files stored as .FSD extension  actually data embedded
 Can be manually carved from FSD file

38. OneNote App
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of
fice.OneNote_xxxxLocalStateAppDataLocalOneNote1
6.0
• Files stored as xxxx.bin extension
▫ Encoded binary files
▫ Embedded graphics such as PNG or JPG

39. Maps App
• Recent places stored in this file (XML):
▫ Usersuser_nameAppDataLocalPackagesM
icrosoft.WindowsMaps_xxxxLocalStateGraph
xxxxMe00000000.ttl
 Latitude/Longitude
 Dates modified (searched)

40. Part 3

41. Memory Acquisition
• WinPMEM (tested versions 1.6.2 & 2.0.1)
▫ Run as Administrator
 Has to extract driver to local temp location
 V1.6.2 running process ~10MB
 V2.0.1 running process ~80MB
• FTK Imager
▫ Run as Administrator
 Running process ~15MB

42. Live Disk Acquisition
• FTK Imager
▫ Can be used for Physical or Logical acquisition
• X-Ways Forensics
▫ Can be used for Physical or Logical acquisition

43. Resources
• FTK Imager
▫ http://accessdata.com/product-download?/support/product-
downloads
• Nirsoft ESEDatabaseView
▫ http://www.nirsoft.net/utils/ese_database_view.html
• RegistryBrowser
▫ https://lockandcode.com/software/registry_browser
• WinPMEM
▫ https://github.com/google/rekall/releases