5. Registry Hives
• Registry hives format has not changed
▫ Can be examined with numerous tools
(e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.)
• Location of important registry hives:
▫ Usersuser_nameNTUSER.DAT
▫ WindowsSystem32configDEFAULT
▫ WindowsSystem32configSAM
▫ WindowsSystem32configSECURITY
▫ WindowsSystem32configSOFTWARE
▫ WindowsSystem32configSYSTEM
6. Event Logs
• EVTX log format has not changed
▫ Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
• Location of EVTX logs:
▫ WindowsSystem32winevtLogs
7. Event Logs – Windows Store
• WindowsSystem32winevtLogsMicrosoft-
Windows-Store%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-Install-
Agent
2002 2001 Installing application
Windows-
ApplicationModel-
Store-SDK
5 5 Search query strings
(e.g. query=twitter)
8. Event Logs – Windows Store
• WindowsSystem32winevtLogsMicrosoft-
Windows-AppXDeploymentServer%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-
AppXDeploy
ment-Server
10002 3 Application
deployment
11. LNK Shortcuts
• LNK format has not changed
▫ Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
• Useful fields:
▫ Hostname
▫ MAC Address
▫ Volume ID
▫ Owner SID
▫ MAC Times
12. Thumbcache
• Location of Thumbcache files:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsExplorer
13. Recycle Bin
• Recycle Bin artefacts have not changed
▫ $I
Still provides original file name and path
▫ $R
Original file
15. Windows Indexing Service
• Windows indexing service is an evidentiary gold mine
▫ Potentially storing emails and other binary items
Great as dictionary list for password cracking
• Stored in an .EDB file
▫ Can be interpreted by EseDbViewer, ESEDatabaseView or X-
Ways Forensics
If “dirty” dismount, need to use esentutl.exe
• In Windows 10 stored in the following directory:
▫ C:ProgramDataMicrosoftSearchDataApplicationsWindo
wsWindows.edb
16. Cortana
• Windows 10 features “Cortana”, a personal assistant, which expands upon the unified
search platform introduced in Windows 8,
▫ Search encompasses local files, Windows Store & online content
▫ Can set reminders
▫ Can initiate contact (e.g. write emails)
• Cortana Databases (EDBs):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxAp
pDataIndexed DBIndexedDB.edb
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Windows.Cortana_xxxxLoc
alStateESEDatabase_CortanaCoreInstanceCortanaCireDb.dat
Interesting Tables:
LocationTriggers
▫ Latitude/Longitude and Name of place results
Geofences
▫ Latitude/Longitude for where location based reminders are triggered
Reminders
▫ Creation and completion time (UNIX numeric value)
17. Cortana
• The following databases contain a list of contacts
synched from email accounts:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Windows.Cortana_xxxxLocalStateContacts_xxxxx.cfg.tx
t
18. Notification Centre
• The following databases contain a list of
notifications:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsNotificationsappdb.dat
Toast notifications are stored in embedded XML
19. Picture Password
• “Picture Password” is an alternate login method where
gestures on top of a picture are used as a password
• This registry key details the path to the location of the “Picture
Password” file:
▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent
VersionAuthenticationLogonUIPicturePassworduser_GUID
• Path of locally stored Picture Password file:
▫ C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDRe
adOnlyPicturePasswordbackground.png
21. Applications (Apps)
• Applications (Apps) that utilise the Metro Modern UI are treated
differently to programs that work in desktop mode
• Apps are installed in the following directory:
▫ Program FilesWindowsApps
• Settings and configuration DBs are located in following directories:
▫ Usersuser_nameAppDataLocalPackagespackage_nameLocalSt
ate
Two DB formats:
SQLite DBs (.SQL)
Jet DBs (.EDB)
22. Windows Store
• Apps are purchased/installed via the Windows Store
• During the Insider Preview their was a Beta Store
which contained Windows 10 –compatible Apps
(e.g. Microsoft Office Apps)
• Registry key of installed applications:
▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp
xAppxAllUserStoreApplications
• List of deleted applications:
▫ HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionApp
xAppxAllUserStoreDeleted
23. Edge Browser
• New web browser and rendering engine (Spartan)
• Same as IE10, records no longer stored in Index.DAT files, stored in EDB
• Edge settings are stored in the following file:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxxACMicroso
ftEdgeUserDefaultDataStoreDatanouser1xxxxxDBStorespartan.edb
• Edge cache stored in the following directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxAC#!001M
icrosoftEdgeCache
• Last active browsing session stored:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.MicrosoftEdge_xxxxACMicrosoft
EdgeUserDefaultRecoveryActive
24. Browser History Records
• Edge (and IE) history records stored in the following
database:
▫ Usersuser_nameAppDataLocalMicrosoftWind
owsWebCacheWebCacheV01.dat
This is actually an .EDB file
Can be interpreted by EseDbViewer or
ESEDatabaseView
Might be a “dirty” dismount, need to use esentutl.exe
Database also stores Cookies
25. Internet Explorer (legacy)
• Internet Cache stored in this directory:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsINetCache
• Internet Cookies stored in this directory:
▫ Usersuser_nameAppDataLocalMicrosoftW
indowsINetCookies
26. Email (Mail application)
• Body of emails are stored in TXT or HTML format
▫ Can be analysed by a number of tools
▫ Stored in the following directory:
Usersuser_nameAppDataLocalCommsUnistoredata
• Metadata of emails are stored in the following DB (EDB
format):
▫ Usersuser_nameAppDataLocalCommsUnistoreDBstore.vol
Attachments
Email header
Contact information
27. Unified Communication
• Unified Communication (UC) is a built-in Microsoft
application that brings together all of the following social
media platforms (by default):
▫ Appears to be scaled back from Windows 8.x (less
integrated as previous People App)
• UC settings are stored in the following DB:
▫ Usersuser_nameAppDataLocalPackagesmicro
soft.windowscommunicationsapps…LocalStatelivec
omm.edb
28. Unified Communication
• Interesting Tables:
▫ Account
SourceID
List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)
DomainTag
Username for each account
▫ Contact
List of synched contacts across all account platforms
▫ Event
Calendar entries (including birthdays of contacts if synched to Windows Live) and locations
▫ MeContact
Further details about owner accounts
▫ Person and PersonLink
Further details about each contact including what account they link back to (e.g Skype)
29. Unified Communication
• Locally cached contact entries are stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom
municationsapps_xxxxxLocalStateIndexedLiveCommxxxxxxxxxx
PeopleAddressBook
• Contact photos are stored in this directory (JPGs):
▫ Usersuser_nameAppDataLocalPackagesmicrosoft.windowscom
municationsapps_xxxxLocalStateLiveCommxxxxxxxxUserTiles
30. Twitter App
• History DB located in following file:
▫ Usersuser_nameAppDataLocalPackagesxxxx.Twitte
r_xxxxxxxLocalStatetwitter_user_idtwitter.sqlite
• SQLite3 format DB
▫ 11 Tables in DB
Relevant tables:
messages – holds tweets & DMs
search_queries – holds searches conducted in Twitter app by
user
statuses – lists latest tweets from accounts being followed
users – lists user account and accounts being followed by user
31. Twitter App
• Settings located in file:
▫ Usersuser_nameAppDataLocalPackagesxx
xxx.Twitter_xxxxSettingssettings.dat
Includes user name (@xxxxx)
Details on profile picture URL
Twitter ID number
32. Skype App (legacy)
• The Skype App was discontinued with Windows
10
▫ Windows 10 prompts you to download the desktop
Skype application
33. OneDrive App
• Built-in by default, API allows all programs to save
files in OneDrive
• List of Synced items located in file:
▫ Usersuser_nameAppDataLocalMicrosoftWind
owsOneDrivesettingsxxxxxxxx.dat
• Locally cached items are stored in directory:
▫ Usersuser_nameOneDrive
34. Microsoft Office Apps
• With the release of the Windows Insider
program Microsoft introduced the Office Mobile
Apps
▫ If you have a valid Office365 account then you can
edit and create documents
Otherwise these Apps are read-only
35. Word App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Word_xxxxLocalStateAppDataLocalOffice16.0
MruServiceCachexxxx_LiveIdExcelDocuments_en-AU
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Word_xxxxLocalStateOfficeFileCache
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
36. Excel App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Excel_xxxxLocalStateAppDataLocalOffice16.0
MruServiceCachexxxx_LiveIdExcelDocuments_en-AU
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.
Office.Excel_xxxxLocalStateOfficeFileCache
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
37. PowerPoint App
• List of recent documents stored in the following file
(XML):
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office.
PowerPoint_xxxxLocalStateAppDataLocalOffice16.0Mru
ServiceCachexxxx_LiveIdExcelDocuments_en-AU
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Office.
PowerPoint_xxxxLocalStateOfficeFileCache
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
38. OneNote App
• Cached files stored in this directory:
▫ Usersuser_nameAppDataLocalPackagesMicrosoft.Of
fice.OneNote_xxxxLocalStateAppDataLocalOneNote1
6.0
• Files stored as xxxx.bin extension
▫ Encoded binary files
▫ Embedded graphics such as PNG or JPG
41. Memory Acquisition
• WinPMEM (tested versions 1.6.2 & 2.0.1)
▫ Run as Administrator
Has to extract driver to local temp location
V1.6.2 running process ~10MB
V2.0.1 running process ~80MB
• FTK Imager
▫ Run as Administrator
Running process ~15MB
42. Live Disk Acquisition
• FTK Imager
▫ Can be used for Physical or Logical acquisition
• X-Ways Forensics
▫ Can be used for Physical or Logical acquisition