SlideShare a Scribd company logo

Windows RT Evidentiary Artefacts 1.0

Brent Muir
Brent Muir

This document summarizes evidentiary artefacts that can be found on the Windows operating system. It outlines the standard file system partitions and locations of important registry hives. It also details where email, internet history, unified communication settings and third party application data is stored. Specific file paths and database formats are provided for investigating these artefact types.

Technology
1 of 9
Download to read offline
OS Evidentiary Artefacts Version 1.0 Brent Muir – 2013 http://au.linkedin.com/in/brentmuir
 File Systems / Partitions  Registry Hives  Email (Mail application)  Internet Explorer  Unified Communication  3rd Party Applications  Picture Password
 Supported File Systems:  NTFS, Fat32, ExFat  Default Partition structure:  “Windows” – core OS (NTFS)  “Recovery” (NTFS)  “Reserved”  “System” – UEFI (Fat32)  “Recovery Image” (NTFS)
 Registry hives are a standard format  Can be examined with numerous tools (e.g.. RegistryBrowser, Registry Viewer, etc.)  Location of important registry hives: ▪ Usersuser_nameNTUSER.DAT ▪ WindowsSystem32configDEFAULT ▪ WindowsSystem32configSAM ▪ WindowsSystem32configSECURITY ▪ WindowsSystem32configSOFTWARE ▪ WindowsSystem32configSYSTEM
 Emails & contacts are stored in .EML format  Can be analysed by a number of tools  Stored in the following directory:  Usersuser_nameAppDataLocalPackagesmicr osoft.windowscommunicationsapps...LocalState
 No longer stored in Index.dat files  IE history records stored in the following file:  Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat ▪ This is actually an .edb file ▪ Can be interpreted by EseDbViewer or ESEDatabaseView
 Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): Facebook Flickr Google LinkedIn MySpace Sina Weibo Twitter Outlook Messenger Hotmail Skype Yahoo! QQ AOL Yahoo! JAPAN Orange  UC settings are stored in the following DB:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStatelivecom m.edb  Locally cached entries (e.g. Email or Twitter messages) are stored in this directory:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStateIndexed LiveComm
 3rd part applications are stored in the following directory:  Program FilesWindowsApps  Settings and configuration DBs are located in following directories:  Usersuser_nameAppDataLocalPackagespackage_nameLo calState  Two DB formats: ▪ SQLite DBs ▪ Jet DBs (.edb)  Registry key of installed applications:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAppxAppxAllUserStoreApplications
 “Picture Password” is an alternate login method where gestures on top of a picture are used as a password  This registry key details the path to the location of the “Picture Password” file:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAuthenticationLogonUIPicturePassworduser_GUID  Path of locally stored Picture Password file:  C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDR eadOnlyPicturePasswordbackground.png

Recommended

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 

Recommended

Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
Brent Muir
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4Windows 7 forensics thumbnail-dtl-r4
Windows 7 forensics thumbnail-dtl-r4CTIN
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
Reality Net System Solutions
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
Prince Boonlia
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 2000
Windows 2000Windows 2000
Windows 2000
pramila kanagaraj
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
KarlFrank99
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
Mike Spaulding
 
Windows profile how do i
Windows profile how do iWindows profile how do i
Windows profile how do i
proser tech
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 

More Related Content

What's hot

Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
Brent Muir
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
Reality Net System Solutions
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
Prince Boonlia
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Windows 2000
Windows 2000Windows 2000
Windows 2000
pramila kanagaraj
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
ArunJS5
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
KarlFrank99
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
Mike Spaulding
 

What's hot (20)

Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Tor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OSTor Browser Forensics on Windows OS
Tor Browser Forensics on Windows OS
 
Extracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifactsExtracting and analyzing browser,email and IM artifacts
Extracting and analyzing browser,email and IM artifacts
 
Windows Forensics
Windows ForensicsWindows Forensics
Windows Forensics
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Windows 2000
Windows 2000Windows 2000
Windows 2000
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007Vistaceic2007 from CEIC 2007
Vistaceic2007 from CEIC 2007
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 

Similar to Windows RT Evidentiary Artefacts 1.0

Windows profile how do i
Windows profile how do iWindows profile how do i
Windows profile how do i
proser tech
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
Reality Net System Solutions
 
Operatingsystems
Operatingsystems Operatingsystems
Operatingsystems kuldeepy60
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
Subho Halder
 
Operating systems
Operating systemsOperating systems
Operating systems
Chinmay Raul
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewInformation Technology
 
Air Set Overview
Air Set OverviewAir Set Overview
Air Set OverviewBrianDoc
 
Windows profile
Windows profileWindows profile
Windows profile
proser tech
 
Windows profile
Windows profileWindows profile
Windows profile
proser tech
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
Functions of OS.ppt
Functions of OS.ppt Functions of OS.ppt
Functions of OS.ppt
JunaidAkbar37
 
Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2KapiL RawaT
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
AliAshraf68199
 
Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real World
ukdpe
 
Operating system windows XP
Operating system windows XPOperating system windows XP
Operating system windows XP
Rohan Bhatkar
 
csc103 software review
csc103 software reviewcsc103 software review
csc103 software review
Richard Homa
 
Topic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptxTopic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptx
AyeCS11
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptx
norwinadriatico
 

Similar to Windows RT Evidentiary Artefacts 1.0 (20)

Windows profile how do i
Windows profile how do iWindows profile how do i
Windows profile how do i
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
 
Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets Discovering Windows Phone 8 Artifacts and Secrets
Discovering Windows Phone 8 Artifacts and Secrets
 
Operatingsystems
Operatingsystems Operatingsystems
Operatingsystems
 
Lab2 ppt
Lab2 pptLab2 ppt
Lab2 ppt
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Operating systems
Operating systemsOperating systems
Operating systems
 
IIS 6 - General System Administration Overview
IIS 6 - General System Administration OverviewIIS 6 - General System Administration Overview
IIS 6 - General System Administration Overview
 
Air Set Overview
Air Set OverviewAir Set Overview
Air Set Overview
 
Windows profile
Windows profileWindows profile
Windows profile
 
Windows profile
Windows profileWindows profile
Windows profile
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
Functions of OS.ppt
Functions of OS.ppt Functions of OS.ppt
Functions of OS.ppt
 
Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real World
 
Operating system windows XP
Operating system windows XPOperating system windows XP
Operating system windows XP
 
csc103 software review
csc103 software reviewcsc103 software review
csc103 software review
 
Topic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptxTopic # 10 of outline SNA.pptx
Topic # 10 of outline SNA.pptx
 
INTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptxINTRODUCTION TO WINDOWS.pptx
INTRODUCTION TO WINDOWS.pptx
 

More from Brent Muir

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
Brent Muir
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
Brent Muir
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
Brent Muir
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
Brent Muir
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
Brent Muir
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
Brent Muir
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
Brent Muir
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
Brent Muir
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
Brent Muir
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
Brent Muir
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
Brent Muir
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
Brent Muir
 

More from Brent Muir (12)

Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
RFID Privacy & Security Issues
RFID Privacy & Security IssuesRFID Privacy & Security Issues
RFID Privacy & Security Issues
 
TOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying MarkersTOR Packet Analysis - Locating Identifying Markers
TOR Packet Analysis - Locating Identifying Markers
 
Malware SPAM - March 2013
Malware SPAM - March 2013Malware SPAM - March 2013
Malware SPAM - March 2013
 
Malware Spam February 2013
Malware Spam February 2013Malware Spam February 2013
Malware Spam February 2013
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Malware SPAM - January 2013
Malware SPAM - January 2013Malware SPAM - January 2013
Malware SPAM - January 2013
 

Recently uploaded

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 

Recently uploaded (20)

JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 

Windows RT Evidentiary Artefacts 1.0

  • 1. OS Evidentiary Artefacts Version 1.0 Brent Muir – 2013 http://au.linkedin.com/in/brentmuir
  • 2. File Systems / Partitions  Registry Hives  Email (Mail application)  Internet Explorer  Unified Communication  3rd Party Applications  Picture Password
  • 3. Supported File Systems:  NTFS, Fat32, ExFat  Default Partition structure:  “Windows” – core OS (NTFS)  “Recovery” (NTFS)  “Reserved”  “System” – UEFI (Fat32)  “Recovery Image” (NTFS)
  • 4. Registry hives are a standard format  Can be examined with numerous tools (e.g.. RegistryBrowser, Registry Viewer, etc.)  Location of important registry hives: ▪ Usersuser_nameNTUSER.DAT ▪ WindowsSystem32configDEFAULT ▪ WindowsSystem32configSAM ▪ WindowsSystem32configSECURITY ▪ WindowsSystem32configSOFTWARE ▪ WindowsSystem32configSYSTEM
  • 5. Emails & contacts are stored in .EML format  Can be analysed by a number of tools  Stored in the following directory:  Usersuser_nameAppDataLocalPackagesmicr osoft.windowscommunicationsapps...LocalState
  • 6. No longer stored in Index.dat files  IE history records stored in the following file:  Usersuser_nameAppDataLocalMicrosoftWind owsWebCacheWebCacheV01.dat ▪ This is actually an .edb file ▪ Can be interpreted by EseDbViewer or ESEDatabaseView
  • 7. Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default): Facebook Flickr Google LinkedIn MySpace Sina Weibo Twitter Outlook Messenger Hotmail Skype Yahoo! QQ AOL Yahoo! JAPAN Orange  UC settings are stored in the following DB:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStatelivecom m.edb  Locally cached entries (e.g. Email or Twitter messages) are stored in this directory:  Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStateIndexed LiveComm
  • 8. 3rd part applications are stored in the following directory:  Program FilesWindowsApps  Settings and configuration DBs are located in following directories:  Usersuser_nameAppDataLocalPackagespackage_nameLo calState  Two DB formats: ▪ SQLite DBs ▪ Jet DBs (.edb)  Registry key of installed applications:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAppxAppxAllUserStoreApplications
  • 9. “Picture Password” is an alternate login method where gestures on top of a picture are used as a password  This registry key details the path to the location of the “Picture Password” file:  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren tVersionAuthenticationLogonUIPicturePassworduser_GUID  Path of locally stored Picture Password file:  C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDR eadOnlyPicturePasswordbackground.png