Windows 10 Forensic...
 
Notifications
Clear all

Windows 10 Forensics  

  RSS
bsmuir
(@bsmuir)
New Member

Hi DFIR analysts.

With the release of Windows 10 it's time to update our knowledge. I put together a brief guide to some of the OS and App artefacts of particular evidentiary value, as well as compatible imaging tools (RAM and live imaging).

Enjoy!

http//t.co/xSrywRO8ma

Quote
Posted : 30/07/2015 2:17 pm
harshbehl
(@harshbehl)
Member

Good work done man (Y)

ReplyQuote
Posted : 30/07/2015 2:33 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Windows 10 Forensics
http//www.champlain.edu/Documents/LCDI/Windows%2010%20Forensics.pdf

A first look at Windows 10 prefetch files
http//blog.digital-forensics.it/2015/06/a-first-look-at-windows-10-prefetch.html

ReplyQuote
Posted : 30/07/2015 4:36 pm
bsmuir
(@bsmuir)
New Member

I have just posted my analysis of Cortana & the Notification Centre in Windows 10.

There are some very useful fields in these new parts of Windows 10, helping place a user at the keyboard and tracking their whereabouts.

Enjoy!

Https//goo.gl/dVJSP0

ReplyQuote
Posted : 18/08/2015 3:25 am
Igor_Michailov
(@igor_michailov)
Senior Member

Nice! Thanks.

What about a Windows.edb file?

ReplyQuote
Posted : 18/08/2015 7:21 am
keydet89
(@keydet89)
Community Legend

Brent,

With the release of Windows 10 it's time to update our knowledge. I put together a brief guide to some of the OS and App artefacts of particular evidentiary value, as well as compatible imaging tools (RAM and live imaging).

Thanks for sharing this.

I've like to add a couple of points of clarification…

Registry hives - do not forget that within the user profile, there is also a USRCLASS.DAT hive file; during the progression from XP -> Win7 -> Win8/8.1, more and more items of (evidentiary) value have been moved from the NTUSER.DAT to the USRCLASS.DAT hive. This includes Shellbags, etc.

Also beginning with Win8, there is a file named "AmCache.hve", which while not part of the Registry, follows the same format, so tools used to parse the Registry hives can also be used with this file. There was an update to Win7 around Dec, 2014 that "retro-fitted" Win7 with the file.

Many times when I'm talking to folks about Windows DFIR work, the question I get many times is, "…what is the new 'hotness'?" The problem with this is that most folks simply aren't aware of the "old hotness", so why is the "new hotness" such an issue. What I like about your presentation is that it points out those items that have not changed, whether it be file locations or formats, etc.

Great job, thanks for sharing this. Did you happen to look at Jump Lists?

ReplyQuote
Posted : 18/08/2015 7:20 pm
bsmuir
(@bsmuir)
New Member

Hi Harlan,

Yes, the slides are a work in progress, they have evolved since then to include many more artefacts, including UsrClass.dat and Shellbags.

NTUSER.dat
\SOFTWARE\Microsoft\Windows\Shell\Bags\

UsrClass.dat
\Local Settings\Software\Microsoft\
Windows\Shell\Bags\

Registry Decoder provides a great way to parse Shellbags, along with many other great tools.

I will probably post the updated slides sometime shortly.

As for Jump Lists, yes I have taken a look at these too.

Jump Lists are located in the following directories
\Users\user_name\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
\Users\user_name\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\

Jump List format has not changed, and they can be examined with numerous tools (e.g. JumpListsView, X-Ways Forensics, etc.).

Useful fields
- Filename
- Created, Modified, Accessed dates/times
- Application ID (e.g. f01b4d95cf55d32a = Windows Explorer 8.1/10 - http//forensicswiki.org/wiki/List_of_Jump_List_IDs ).

There are of course a whole bunch of new Application IDs, which have yet to be fully documented.

As much as these older artefacts are interesting I still believe that the invasiveness of Cortana provides a wealth of user information that cannot be located elsewhere, for example when and where a user was when they; set a reminder, completed a reminder, searched for a business, searched for a location.

These latitude/longitude details are great for pinning someone to a certain location, and if they have a Windows Phone (or multiple PCs) that they are logged in with the same Microsoft account this information is synched across all devices - you're not going to get this information from the Registry hives.

ReplyQuote
Posted : 19/08/2015 4:34 am
trewmte
(@trewmte)
Community Legend

- Application ID (e.g. f01b4d95cf55d32a = Windows Explorer 8.1/10 - http//forensicswiki.org/wiki/List_of_Jump_List_IDs).

Good work on the guide, appreciate your time and effort bsmuir….thanks

One point about your post above the Jump List ID web-link leads to a page not yet created as the web-link ends with a ).

http//forensicswiki.org/wiki/List_of_Jump_List_IDs

ReplyQuote
Posted : 19/08/2015 9:34 am
nealastle1
(@nealastle1)
New Member

hello Brent

Many thanks for taking the time to write this very useful and informative guide.

ReplyQuote
Posted : 19/08/2015 1:57 pm
Share: