mohamudkulmiye--bsc (hons)-project
TRANSCRIPT
BSc (Honours) in Computing Digital Forensics & Cyber Security
Digital Forensic Examinations On The New Features Of Windows 10 System
Author: Mohamud Kulmiye
Supervisor: Michael Hegarty
School of Computer Science and Informatics
19 May 2016
2 of 85 19 May 2016
Declaration:
I hereby declare that the work I submit towards the Honour’s Bachelor of Science in
Digital Forensics and Cyber security to the Institute of Technology Blanchardstown
under the guidance of Michael Hegarty is my own work and has not been taken from the
work of others unless clearly cited and referenced.
Signed: Mohamud Kulmiye _________________
Date_____/_______/________________
3 of 85 19 May 2016
Acknowledgments:
I Would like to express my thanks and appreciation to my beloved family for their
endless support and encouragement to pursue me to study further without their
encouragement, I would not have been where I am today.
I would like to express my thanks and appreciation to my wife: Fahmo Fidow, I'm
immensely thankful for her continues support during the last 4 years.
I would also like to show and express my gratitude to my supportive and helpful friends
whom have took part of this success of completing this project or during my time in ITB.
Finally, I would like to extend my deepest gratitude to my helpful supervisor Michael
Hegarty, for his encouragement, support and guidance throughout this project and my
time in ITB.
4 of 85 19 May 2016
(This page intentionally left blank)
5 of 85 19 May 2016
Abstract
Microsoft Windows 10 operating system is predicted to be one the most widely used
operating systems in the world. This operating system can run on a variety of different
devices including Smartphone, Desktop, Tablet and Laptops.
Windows 10 presents a range of new features which were not seen in the previous
windows operating system such as Cortana (personal digital assistance), Notification
Centre, Edge browser, Windows 10 Applications such as emails, and unified
communication applications such as One drive, Facebook and Twitter etc.,.
The aim of this paper is to discover and investigate these new features of windows 10 and
the challenges that could be faced by the forensic investigators who need to locate any
potential evidences within these new features.
The outcome of this research will be useful to a forensic examiner who may encounter
systems running Windows 10 Operating systems, the findings will include the locations
where to find artefacts for the new features and how these artefacts are saved.
The plan for this project is to setup a machine running Windows 10 Operating system
with new features in a virtual environment then carry out investigation on each new
feature’s artefacts such as how and where their data is stored in the system, forensic
examination will be performed on each new feature’s artefacts, and also investigate the
impact that they could have on the digital forensic investigation process.
After successful completion of my investigation and research, I will produce report
detailing the investigations, results and finding of the research and will the following
three research questions which was mainly developed for this research these questions as
follows.
1. Where in the system the new features of windows 10 can be found.
2. Determine how these new artifacts can be used to help build presentable evidence
in a court of law.
3. What artifacts can be found from the Unified Communications of windows 10?
6 of 85 19 May 2016
Table of Contents
1 Table of Figures: ...................................................................................................... 8
2 Table of Tables ...................................................................................................... 10
3 Chapter 1 ............................................................................................................... 11
3.1 Introduction ................................................................................................................ 11
3.2 Brief History of Digital Forensics ................................................................................ 12
3.3 Overview of Windows Forensics ................................................................................ 13
3.4 Problem Statement .................................................................................................... 14
3.5 Motivations for the Project: ........................................................................................ 15
3.6 Project Task scheduling: ............................................................................................ 16
4 Chapter 2: Literature Survey .................................................................................. 17
4.1 Brief History of Windows Platform ............................................................................. 17
4.2 Review of Windows 10 Research .............................................................................. 18
4.3 Differences between Windows 10 and Windows 8 & 7 ............................................. 20
4.4 Digital forensic process models ................................................................................. 21
4.5 Digital Forensic Problems with Windows 10: ............................................................. 22
5 Chapter 3: .............................................................................................................. 23
5.1 New Features of windows 10 ..................................................................................... 23
5.2 The Research Area: ................................................................................................... 23
5.2.1 Operating System artefacts ........................................................................... 23
5.2.2 Application Artefacts ...................................................................................... 25
5.3 Existing Digital Forensic Process............................................................................... 27
6 Chapter 4 ............................................................................................................... 28
6.1 Adopted Approach ..................................................................................................... 28
6.2 Approach Taken for the Project ................................................................................. 30
6.2.1 Lab set up: ..................................................................................................... 31
6.2.2 File System .................................................................................................... 32
7 of 85 19 May 2016
6.2.3 Metadata ........................................................................................................ 32
6.2.4 Generation of evidence Data ......................................................................... 33
6.2.5 Test Image Baseline ...................................................................................... 34
6.2.6 E01 Image (Image format) ............................................................................. 34
6.2.7 Acquiring the Images ..................................................................................... 34
6.2.8 Image integrity ............................................................................................... 36
7 Chapter 5: .............................................................................................................. 37
7.1 Evidence examination ................................................................................................ 37
7.2 Cortana Artefacts ....................................................................................................... 39
7.3 Notification centre: ..................................................................................................... 46
7.4 Windows 10 Start menu: ............................................................................................ 48
7.5 Edge Browser:............................................................................................................ 51
7.6 Windows Apps ........................................................................................................... 55
7.7 Unified Communications: ........................................................................................... 59
7.7.1 Facebook ....................................................................................................... 59
7.7.2 Twitter ............................................................................................................ 63
7.7.3 One Drive ....................................................................................................... 65
7.8 Quick Access folder ................................................................................................... 69
8 Chapter 6 ............................................................................................................... 71
8.1 Findings ...................................................................................................................... 71
8.2 Research Questions and answers: ............................................................................ 76
9 Chapter 7 ............................................................................................................... 77
9.1 Conclusions ................................................................................................................ 77
9.2 Limitation of the Research ......................................................................................... 78
9.3 Further Research: ...................................................................................................... 79
10 Chapter 8 ............................................................................................................... 80
10.1 References ................................................................................................................. 80
8 of 85 19 May 2016
10.2 Bibliography ............................................................................................................... 82
11 Appendices ............................................................................................................ 83
11.1 Appendix A ................................................................................................................. 83
11.2 Appendix B ................................................................................................................. 84
11.3 Appendix C ................................................................................................................. 85
1 Table of Figures:
FIGURE 1: MARKET SHARE OF WINDOWS 10 ............................................................................................... 19 FIGURE 2: WINDOWS OPERATING SYSTEM LIFECYCLES SUPPORT ............................................................... 20 FIGURE 3:DFRWS PHASES ............................................................................................................................. 27 FIGURE 4: THE SYSTEM USED ....................................................................................................................... 29 FIGURE 5: ADOPTED DIGITAL FORENSIC PROCESS FOR THE PROJECT – CREATED BY AUTHOR ................... 30 FIGURE 6: SELECTING THE INTERESTED DRIVE TO BE IMAGED .................................................................... 34 FIGURE 7: E01 WAS THE CHOSEN IMAGE FORMAT ...................................................................................... 35 FIGURE 8: FILING THE CASE DETAILS ........................................................................................................... 35 FIGURE 9: MD5 AND SHA-1 HASH OF THE IMAGE ........................................................................................ 36 FIGURE 10: MD5 HASHES COMPARISONS .................................................................................................... 37 FIGURE 11: CREATING NEW CASE WITH OS FORENSIC ................................................................................ 38 FIGURE 12: IMPORTING THE IMAGE INTO OS FORENSIC ............................................................................. 38 FIGURE 13: CORTANA INDEXT.DB DATABASE .............................................................................................. 39 FIGURE 14: INDEX.EDB TABLES ................................................................................................................... 40 FIGURE 15: CORTANAINDEXDB.EDB INDEXCATALOG .................................................................................. 41 FIGURE 16: TIME STAMPS OF CORTANADB.DAT .......................................................................................... 41 FIGURE 17: CORTANADB.DAT HAS 23 TABLES .............................................................................................. 42 FIGURE 18: CORTANA EVENT LOCATION TRIGGER ....................................................................................... 42 FIGURE 19: CORTANA TASK REMINDER ....................................................................................................... 43 FIGURE 20: CORTANA SHOWS DUBLIN WEATHER FORECAST ...................................................................... 44 FIGURE 21: CORTANA SHOWS TOP NEWS HEADLINES................................................................................. 44 FIGURE 22: CORTANA STORES RECENT LOCATION SEARCH AND FAVORITE PLACES ................................... 44 FIGURE 23: CORTANA STORED FAVORITE LOCATION .................................................................................. 45 FIGURE 24: NOTIFICATION FOLDER .............................................................................................................. 46 FIGURE 25: NOTIFICATION APPDB.DAT HEX................................................................................................. 46
9 of 85 19 May 2016
FIGURE 26: TOAST NOTIFICATION POPS UP RECEIVED FACEBOOK MESSAGE ............................................. 47 FIGURE 27: TOASTED NOTIFICATION OF RECEIVED EMAIL .......................................................................... 47 FIGURE 28: SYSTEM NOTIFICATION SECURITY THREAT ALERT ..................................................................... 48 FIGURE 29: WINDOWS 10 START MENU FILES ............................................................................................. 49 FIGURE 30: START MENU SHOWS MOST RECENT PROGRAMS .................................................................... 49 FIGURE 31: THE ACTUAL LOCATION OF THE SKY IS REVEALED ..................................................................... 50 FIGURE 32: METADATA TAB AGAIN SHOWS USEFUL INFORMATION ABOUT THE PROGRAM..................... 51 FIGURE 33: MICROSOFT EDGE DATABASE.ED .............................................................................................. 52 FIGURE 34: EDGE BROWSER INDEXDB.DB CONTAINS SIMILAR DATABASE TABLES WITH CORTANA ......... 52 FIGURE 35: MICROSOFT EDGE CACHED FILES .............................................................................................. 53 FIGURE 36: MICROSOFT EDGE BROWSING HISTORY .................................................................................... 53 FIGURE 37: READABLE MICROSOFT BROWSING HISTORY ............................................................................ 54 FIGURE 38: LIST OF USER FAVORITES WEBSITES ......................................................................................... 54 FIGURE 39: EMAIL APPLICATION SHOWING IN THE COMMS\UNISTORE\DATA FOLDER ............................. 55 FIGURE 40: AGGREGATECACHE.UCA CONTAINS EMAIL CONTACTS ............................................................. 55 FIGURE 41: CONTENTS OF THE \DATA\3 FOLDERS ....................................................................................... 56 FIGURE 42: EMAILS FOUND ON THE DATA/3/C FOLDER .............................................................................. 56 FIGURE 43: SENT AND RECEIVED EMAILS FOUND ON THE WINDOWS 10 EMAIL APPS .............................. 57 FIGURE 44: ONE OF THE EMAILS SHOWS THAT THERE WAS ARRANGED MEETING ON SATURDAY ............ 57 FIGURE 45: EMAILS DIRECTORY \COMMONS\UNISTOREDB ........................................................................ 58 FIGURE 46: USS.LOG FILE REVEALED EXCHANGED EMAIL AND EMAILS ADDRESS ...................................... 58 FIGURE 47: FACEBOOK DB DIRECTORY CONTENTS. ..................................................................................... 60 FIGURE 48: LIST OF FACEBOOK FRIENDS ALONG WITH THEIR FULL DETAILS ............................................... 60 FIGURE 49: FACEBOOK FRIENDS REQUEST NOTIFICATIONS ......................................................................... 61 FIGURE 50: FACEBOOK MESSAGE RECEIVED ................................................................................................ 61 FIGURE 51: USERS TABLE CONTAINS THE LIST OF USERS THAT EXCHANGED MESSAGES ............................ 61 FIGURE 52: SHOWING THE LOCATION OF FRIEND OF FRIENDS ................................................................... 62 FIGURE 53: PROFILE TABLE SHOWS THAT LIST OF FRIENDS AND GROUPS THAT ONE OF THE FRIENDS HAS
............................................................................................................................................................. 62 FIGURE 54: FACEBOOK SETTING DIRECTORY................................................................................................ 63 FIGURE 55: TWITTER APPLICATION SETTING ............................................................................................... 63 FIGURE 56: HEX VIEW OF THE TWITTER APPS SETTING.DAT FILE ............................................................... 64 FIGURE 57: TWITTER LOCAL STATE DIRECTORIES ........................................................................................ 64 FIGURE 58: ONEDRIVE DATA SYNCED FOLDER ............................................................................................. 65 FIGURE 59: ONEDRIVE SYNCED-DAT FILE ..................................................................................................... 65 FIGURE 60: ONE-DRIVE LOCAL CACHE FILES ................................................................................................. 66 FIGURE 61: DOCUMENTS FOUND IN THE ONE-DRIVE LOCAL CACHE ........................................................... 66 FIGURE 62: ONE-DRIVE-LOCAL CACHE TEXT FILE ......................................................................................... 67 FIGURE 63: JOURNAL FILE THAT WAS RECOVERED ..................................................................................... 67 FIGURE 64: ONE-DRIVE LOCAL CACHE PICTURES FOLDER ............................................................................ 68 FIGURE 65: IMAGES FOUND IN THE ONE-DRIVE LOCAL CACHE ................................................................... 68 FIGURE 66: MOST RECENT FILES LINKS USED BY THE USER ......................................................................... 70 FIGURE 67: THE ORIGINAL LOCATION OF THE FILE REVELED ....................................................................... 70 FIGURE 68: WINDOWS COMPARISONS ........................................................................................................ 83 FIGURE 69: WINDOWS 10 START MENU COMBINES THE LIVE TILES OF WINDOWS 8 AND WINDOWS 7
STYLE .................................................................................................................................................... 84 FIGURE 70: SANS WINDOWS ARTIFACTS ANALYSIS EVIDENCE (APPENDIX C) .............................................. 85
10 of 85 19 May 2016
2 Table of Tables
TABLE 1 PROJECT TASKS: .............................................................................................................................. 16 TABLE 2: VIRTUAL MACHINE SPECIFICATIONS ............................................................................................. 31 TABLE 3: INSTALLED APPLICATIONS TABLE 4: FORENSICS TOOLS USED .......................................... 31 TABLE 5: METADATA FILES DESCRIPTION IN NTFS ....................................................................... 32 TABLE 6: GENERATED DATA ......................................................................................................................... 33 TABLE 7: CORTANA ARTIFACTS SOURCE BY THE AUTHOR........................................................................... 71 TABLE 8: NOTIFICATIONS CENTRE ARTIFACTS SOURCE BY THE AUTHOR ..................................................... 72 TABLE 9 START MENU ARTIFACTS SOURCE BY THE AUTHOR ...................................................................... 72 TABLE 10 EDGE BROWSER ARTIFACTS SOURCE BY THE AUTHOR ................................................................ 73 TABLE 11 QUICK ACCESS ARTIFACTS SOURCE BY THE AUTHOR ................................................................... 73 TABLE 12 EMAIL-APPS ARTIFACTS SOURCE BY THE AUTHOR ...................................................................... 74 TABLE 13: UNIFIED COMMUNICATIONS ARTIFACTS SOURCE BY THE AUTHOR ........................................... 75
11 of 85 19 May 2016
3 Chapter 1
3.1 Introduction
Digital forensic examiners need to understand how the current digital forensic processes
can interact with new technologies such as a new version of an operating system and how
to examine and analyse those technologies with the current digital forensic processes and
tools.
The recognition that the Microsoft Windows operating system has around the worldwide
has made it the perfect target for cyber criminals to attack such systems, these attackers
are not just targeting the large organizations such as Microsoft but also small companies,
governments, individual users and non-profit organizations in order to access sensitive
information such as credentials and credit card information (Forensic, 2011).
The new release of Microsoft windows 10 presented new features which have not been
examined and analysed, these new and improved features will produce challenges to any
forensic examiner who needs to acquire evidence from them.
The main objective on this research is to investigate how these new features of windows
10 operating system store their artefacts and where in the system are these artefacts
stored, the project has two phases, the first phase would be researching about the new
features of windows 10 operating system and second phase will involve carrying out
forensic investigation of these new features hence investigating where in the system can
the artefacts of these new features be found and how these artefacts are stored in the
system, these new features are as follows: Cortana, Notification Centre, Edge browser,
new Start menu, Quick Access, and Unified Communication (UC) such as Facebook,
Twitter, Skype.
The outcome and finding of this research would be very useful to digital forensic
examiner who needs to acquire artefacts of these new features of windows 10, the
12 of 85 19 May 2016
following set of three questions were developed for the purpose of aiding this research
paper, these questions are as follows:
1. Where in the system the new features of windows 10 can be found.
2. Determine how these new artefacts can be used to help build presentable evidence
in a court of law.
3. What artefacts can be found from the Unified Communications of windows 10?
3.2 Brief History of Digital Forensics
Back as far as the 1970s era or before, the crimes that were committed using computers
or any digital devices was very few, and if such crimes occurred the security agencies
used to prosecute the individuals using existing laws such as anti-fraud laws due to the
non existence of computer crime legislation.
Its believed that the first legislation regarding crimes that were committed using
computers was the 1978 Florida Computer Crimes Act legislation which was against the
"unauthorized modification or deletion of data on a Computer System"( Casey, 2004).
After that, the law enforcements agencies developed gradually and realised the need for
legislations in computer crimes due to the fast increase of crimes that were committed
using computers and other digital devices.
Around mid 1980s FBI and law enforcements agencies have began to develop digital
forensic tools which could be used to investigate and analyse computer and digital based
evidences (Noblett et al, 2000).
The computer crimes act law must be applied when putting forward any digital based
evidences to the court of law, these evidences must comply with rules such as
safeguarding the integrity of the evidence as well as the verification of the evidence,
throughout the course of the investigation.
13 of 85 19 May 2016
3.3 Overview of Windows Forensics
The wide use of windows operating system in personal and business influences the cyber
criminals and malicious attacker to commit crimes using thus systems, as result the act of
breaches have risen, therefore successful persecutions of these crimes rely on digital
forensic investigation while using acceptable Digital forensic tool.
Digital Forensic Investigation of windows system involve analysing substantial amount
of volume of evidences obtained from various system files, directories and unallocated
spaces within the disk, nevertheless, particular attention must be paid to the unique
prerequisites of digital forensic investigation and analysis on windows system artifacts
such as identifying the timestamp of instance of data which is found on the system and
could be used as evidence in court of law ( Nelson et al, 2008).
Windows operating system provides a plenty of artefacts which a forensic investigator
can examine, and these artefacts maybe unique to each user on the system, historically
windows forensic artefact can be break down into the following two categories: OS
artifacts and Application artifacts.
Operating System artefacts
The system artefacts provide wealth of information for a forensic examiner including file
system, partitions information, shellbags, prefetch, lnk files, event logs which contains
unique information about what has been happening with the system while a particular
user was active, another Operating System artefacts that contains rich source of
information for forensic investigation is the registry hives such as user.dat, system32
config, and system security,
14 of 85 19 May 2016
Application artefacts
These artefacts are owned by applications installed on the system such as Microsoft web
browser, email applications, and any other third party applications including but not
limited Twitter, Facebook, Skype, and Microsoft Office applications such as Word, Excel
and PowerPoint.
Information on which applications are installed in the system can be located in the
windows registry which holds data on programs that are installed on the system.
3.4 Problem Statement
When it comes to performing forensic investigation on a Windows System there are
many problems that could be faced despite significant improvements of digital forensic
procedures throughout the last decades.
There are a wide range of challenges that could be discovered throughout the digital
forensic process and these can be overcome by ensuring that relevant data is available for
prosecution in crimes which are committed using digital devices such as computer.
The release of windows 10 means that many devices including laptops, desktop PCs,
tablets, and smartphones from July 2015 may use the new operating system which
presents some promising tools to enhance the user experience such as personal digital
assistance (Cortana) and many more.
While these feature might look interesting to some user, it will undoubtedly bring new
challenges for digital forensic investigator who wants to acquire evidence from these new
artefacts.
15 of 85 19 May 2016
3.5 Motivations for the Project:
Technology nowadays forms important part of people's lives from personal computers to
the widespread use of Smartphone's as well as companies relaying on technologies to
perform their day to day business transactions.
The growth of technology in daily lives has led to major increase in digital crimes
including online financial fraud and identity theft.
The popularity of windows operating system will lead criminals to use these systems as
accessory tool for their crimes, and digital forensic investigators have to play major part
in countering and defending against these digital crimes.
As a result, the motivation for this research on Windows 10 System is that:
Windows 10 is relatively new system and it has brought along some new features that
have not being seen in the previous platforms of windows.
As a forensic examiner, I would like to explore and research the challenges and obstacles
that could halt forensic investigations when encountered with such system artefacts and
the need to obtain evidence from them, the findings of the research would provide a
wealth of information about how and where these new artefacts store their data on the
system and provide steps which could be used to obtain these valuable data. The research
will be concluded by answering a set of questions that were mainly developed for the
purpose of this research
16 of 85 19 May 2016
3.6 Project Task scheduling:
This project is being dedicated for the following days on each week Monday, Thursday,
and Saturday, Table 1 shows each task that was performed for the successful completion
the project:
Table 1 Project Tasks:
Project Task
Project proposal write up
Research about Windows 10 new features
Research the Forensic tools which could be used for the project
Prepare the Image, including evidence files and Image acquisition
Analysis the findings for the new features artefacts windows 10
Answer the research question using the findings
Write Thesis
17 of 85 19 May 2016
4 Chapter 2: Literature Survey
4.1 Brief History of Windows Platform
Microsoft series of operating system family began back in 1981 when Microsoft
produced its very first operating system which was called MS-DOS, it was simple to use
the user perform tasks by typing commands into the terminal.
Four years later, Microsoft released another operating system which was more GUI
(graphical user interface) based rather than DOS-Command the windows 1.0 empowered
its users with user friendly interface by just clicking to access the windows. (IBN Live,
2012). Windows 2.0 followed by again in three years later which had enhanced graphical
interface.
Between 1990-1994 windows 3.0 and 3.1 has been released by Microsoft which offered
advanced performance and graphical icons than the previous operating system.
In August 1995, Windows 95 has been released to the market which had much more
improvements such as new user interface, plug-in play, Internet access and also supported
32-bit applications all these new improvements allows to run much faster and this was
considered one of the crucial updates that Microsoft has produced (Microsoft US, 2011).
Windows XP was launched back in 2001 and it had better user interface and its more
dependable and stable system the any other previous versions. The Windows XP offer
better mobility performance by utilizing the 802.11X wireless by far windows XP was
the Microsoft best selling product (IBN Live, 2012).
Microsoft released Windows vista Operating System November 2006, which was
considered to be a failure when it compared to the previous operating system, it has
lacked to improve user experience, and hence it forced some users to downgrade to the
windows XP which was the earlier operating system.
In October 2009 Microsoft released its latest Windows operating system; Windows 7
which was the successor to windows XP, more than 700 million users around world use
18 of 85 19 May 2016
windows 7 as operating system, it has overtaken the popularity of windows XP and it is
much more stable environment when compared to the previous windows (Warren, 2012).
Windows 8 was released into the market on August 2012, which saw a complete redesign
of the windows operating system in terms of its look and how to perform certain tasks
such as metro design system interface, when the user logs on into the system, instead of
traditional desktop the system presents metro interface which shows punch of icons
which represent applications.
According to yahoo.com, Windows 8 and later version of the windows 8.1 both failed to
accomplish their design intentions, and only about 13 percent have upgraded from
windows 7 almost 51 percent of desktops still use windows 7 operating system
(yahoo.com, 2014).
Microsoft have released the successor of windows 8 on July 2015, windows 10 has
combined features of windows 8 and windows 7 such as the old start menu on the
desktop with an enhanced security and plenty of new features such as fast start up, built-
in security, new browser (Edge), Cortana and many more features (Branscombe, 2015).
4.2 Review of Windows 10 Research
Since the launch of windows 10 in July 2015, it has overtaken windows XP and 8.1 for
place of the second most widely use for desktop operating systems, windows 10 snatched
it strong global market share of 11.58 percent in January 2016 compare to the December
last year, there are sign of speedy recovery from the slow growth of market share as state
by an blog wrote by Protalinski, E. (2016).
Below is the market share of windows operating system in January 2016 from
http://venturebeat.com
19 of 85 19 May 2016
Figure 1: market share of windows 10
According to an article by Whitney L., NetMarket researcher, the growth of the windows
10 might gesture the new version of the windows Operating system grasped the
awareness that are need in the mainstream and Windows 10 is a user friendly and very
appealing when it comes to user experience.
Windows 10 can be upgraded from the previous windows 8 and 7 for free; Microsoft is
trying to push the move to the windows 10 from the previous windows platforms without
cost by reminding pop-up message on the users’ computers (Whitney, L. (2016)
Although some users might get annoyed with these pop-windows but on the other hand
Microsoft sees as big help without doubt, however it is an optional to upgrade for now,
and Microsoft is planning to continue with this strategic plan to convey its message and
get its users to install the new version of operating system by changing the pop-up
windows messages as recommended to upgrade with hope of attracting more users from
the previous windows versions (Whitney, L. 2016).
20 of 85 19 May 2016
4.3 Differences between Windows 10 and Windows 8 & 7
In this section a quick comparison between windows 10 and the previous windows
platforms including windows 8 and windows 7 will be done.
Since the launch of windows 10 on the summer 2015 results has seen at least over 14
million times download of the new operating system and Microsoft revealed that the
decision to making the switch for free to the windows 10 from the previous windows
platforms played key role for the publication and downloads of the new operating system
(Kelly G, 2015).
There are many difference between the windows 10 and windows 7 and window 8 but
the ones that makes the upgrade to the windows 10 worthwhile are the longer service
support and cost free switch with limited time to windows 10 (Kelly G, 2015).
The longer service support might be one of the key reason to make the switch, and
Microsoft will provide support for the new operating system 5 years longer than the
previous windows, the supports fails into the two parts Mainstream and Extended
supports, the Mainstream supports the end of adding or upgrading the features and it is
less important where the Extended support is crucial because it marks the end of updates
such as security and improvements, see (Figure 2 of Windows OS Lifecycles.) which
shows the mainstreams of windows platform from windows XP to windows 10 (Kelly G,
2015).
Figure 2: Windows Operating System Lifecycles Support
21 of 85 19 May 2016
Microsoft provides table of comparisons new and improved feature of windows 10
desktop when compared to the previous windows operating system, see Appendix A.
4.4 Digital forensic process models
The digital forensic Investigation has several phases which the actual investigation has to
follow upon, and the principle behind designing a digital forensic process model is to get
the scientific understanding of the forensic process (Pollit, 2004).
Dampier and Tanner described in their paper titled "An Approach for Managing
Knowledge in Digital Forensics Examinations "the increase size of the digital devices
storages is making the forensic investigations more complex and harder and proposed
possible solution which could be developing examinations standards such as using the
diagrammatical specifications in each forensic process (Dampier and Tanner, 2010).
Richard Adams stated in his paper titled "The Advanced Data Acquisition Model
(ADAM)" that there is no single standard forensic process that is being accepted broadly,
however continued arguing that specific forensic model could have been developed for
environment such as incident response and which may not be used as forensic process
models in another environments such as law enforcements (Adams, 2013).
22 of 85 19 May 2016
4.5 Digital Forensic Problems with Windows 10:
One of the main problems with digital forensic investigation of windows 10 is that there
are compatibility issues between the digital forensic tools and the new operating system,
and enough study papers and articles which recommend the digital forensic tools that can
and cannot work with the new windows 10 could not be sourced.
Digital forensic consultant Siewert (2015), reported that there are immense compatibility
problems between the Digital Forensic tool and the new OS Windows 10, in his article he
stated that Cellebrite UFED was one of the forensic tool that had the compatibilities
issues, he also gave the following guideline to be performed before moving the digital
forensic environment lab to the new operating system windows 10:
Back up the previous forensic windows machine before upgrading to the new OS.
Consider installing virtual environment or alternative machine to the current
forensic environment
Research compatibility issues between the windows 10 and the forensic tools your
using
23 of 85 19 May 2016
5 Chapter 3:
5.1 New Features of windows 10
The new operating system of Microsoft Windows 10 brought along with many new
features that will enhance the user experience with, the goal of this paper is to research
and forensically examine the following features of the new operating system, Cortana,
Edge browser, E-mail, Unified Communications ( Facebook, Twitter), Notification
Centre, New Start Menu, Quick Access(Files and Folders), and One Drive data storage.
5.2 The Research Area:
The research is divided into the following area of windows 10 operating system:
Operating system artefact, and Application artefacts, however the aim of the project is
look specific new and improved artefact of windows 10, and explorer thus artefacts and
produce finding of how and where they store their data which could be interested by a
forensic examiner who need to build forensic case.
The research will also focus answering research questions that specifically designed for
the thesis research and it's obviously that these questions along with finding of the report
will aid the digital forensic examiner who encountered such system and in desperate of
investigating and finding evidence with the system artefacts, the following are the two
sections of the research of new features of windows 10 operating system.
5.2.1 Operating System artefacts
Operating system artefacts can be defined as any metadata which are saved by the
features which are native to the Operating system, for the purpose of this paper the scope
of the these artefacts will be limited to artefacts saved by the following features.
24 of 85 19 May 2016
5.2.1.1 New Start Menu:
The new start menu brings radical improvement for users experience, after the metro-
style of windows 8, the consumers who were accustomed to the familiar Start menu in
windows 7, had to undergo a significant difficulty of user experience with windows 8
without the Start menu, as a result windows 10 offers the better user experience by
bringing together the best part of windows 7 and windows 8, such as the metro style of
windows 8 into the start menu, See appendix(B) for the look of new start menu of
windows 10 (Microsoft Press, 2015).
Start menu could hold useful information for forensic examiner such as recent files and
applications that were accessed by the user which could be used when performing user
activates on the system.
5.2.1.2 Notifications Centre
The notification centre provides comprehensive information about change that are
happening with the applications, it's great way to find any issue with an application or
updates, basically it organises all the notifications from the apps and its located at the
bottom bar of the desktop just to the left of the clock (De Looper, 2015).
The notification centre, which holds system notifications including but not limited
security warnings and as well as applications notifications such as un-opened emails,
could be of interest to Digital forensic investigators.
5.2.1.3 Cortana
Microsoft have increased the user experience with the digital personal assistance
(Cortana), it allows the users combined local and the Internet search just using voice
command it has the ability to perceive the intended meaning of spoken words and
transforming these instruction into search, as well as sending email, scheduling
appointments and many more (Bott, 2015).
25 of 85 19 May 2016
It uses the Windows Live account that was used when the system was set up, and also if
you sign up social media applications such as Facebook, Twitter, and LinkedIn, Cortana
will have access to contacts that you have in these applications then can send messages, if
you were to use voice commands to write emails or performing search you need to have
detectable Microphone.
The digital personal assistance (Cortana), could hold valuable information when
performing forensic investigation on windows 10 system, for example forensic examiner
could look at the daily tasks that Cortana used to perform such as the web search history
and local search and simple queries including fixed appointments.
5.2.1.4 Quick Access:
Quick Access is another new feature of Windows 10 operating system which has
replaced the favorites tape in the windows file explorer, the Quick Access contains the
shortest path to the folder and files that you have been using and these are also called the
most frequent folders and recent files used.
The aim of this section is to investigate and examine the contents of Quick Access folder
which has the most recent files and folder which the user was working on and see if it
contains any useful evidence which could aid in the digital forensic investigation process.
5.2.2 Application Artefacts
Application artefacts are artefacts which are saved by software application which are
installed in the system; the scope of this project covers artefacts from the following
applications.
26 of 85 19 May 2016
5.2.2.1 Edge Browser
Microsoft announced the Spartan project as the successor of the Internet explorer, it's
called the 'Edge browser’ the new browser brings comes with new features such as new
search engine and supports PDF and it has reading mode which improves the layout of
page, it also comes with plug-in which allows you to take note and share with you friends
while surfing the net, it's also support the Cortana to do online search when required
(Low, 2014).
Windows 10 new web browser could be one of the places to look for major source of
valuable information when it comes to performing digital forensic investigation on
windows 10 system, and it would be very interesting to see the type of forensic artifacts
that the Microsoft edge browser leaves behind.
5.2.2.2 Windows Apps
Windows 10 has been integrated with tones of useful applications such as Maps, E-mail,
Photos Calendar, and these applications are well integrated with Cortana (your personal
digital assistant) which is ready to help to do daily task such as appointment keeping,
emails, or weather forecasts and traffic updates (De Looper, 2015).
5.2.2.3 Unified Communications:
Unified communications brings all the social media applications such as Facebook,
Twitter, etc into one platform which makes easy for users to quickly access these
applications, Facebook and Twitter which will be examined for the purpose of this
research.
27 of 85 19 May 2016
5.2.2.4 One Drive
One Drive storage has been around since the release of windows 8, and it has been
improved, it provider free 15 GB online storage when used with Microsoft email, which
could be useful for storing valuable information on the go.
For the purpose of this research, One Driver storage will be look at artefacts that could
left on the system used rather than the online storage which rises debatable legal issues as
well as forensic challenges with the area of cloud forensics.
5.3 Existing Digital Forensic Process
Casey (2004), wrote a book titled “Handbook of Digital Forensics and Investigation ",
and he defines the following three steps; acquisition, analysis, and reporting as the most
widely used digital forensic process in the computer, and mobile digital forensic
examinations and analysis.
The Digital Forensic Research Workshop (DFRWS) developed Digital forensic process,
in their book titled "A Road Map for Digital Forensic Research" (2001), and defined each
phases of digital forensic investigation as following:
Figure 3:DFRWS Phases
28 of 85 19 May 2016
Identification: The identification phase, the examiner must identify if there is incident to
be investigated.
Preservation: The preservation phase deals with how to maintain the chain of custody,
and the evidence must be preserved till the presented in court.
Collection: The collection phase describes the collection of information and the method
used to acquire the evidence and put for further analysis.
Examination: This phase discuses the method used to view the evidence
Analysis: This phase must be discussed the forensic techniques and tools used by the
forensic examiner to analysing the evidence.
Presentation: This is the last phase and must be discussed the method used to
examining the evidence and present to the court of law, the importance of this section is
that the examiner must use suitable forensic tools and process.
6 Chapter 4
6.1 Adopted Approach
To achieve the purpose of this research, a fresh windows 10 Home edition was installed
on a virtual machine rather than a physical machine, due to the lack of resource, The
hosting machine is an ACER, Laptop that has 8 GB of RAM and one terabyte of Hard
drive and has a licensed windows 10 Operating system Home edition.
29 of 85 19 May 2016
Figure 4: The system used
Below is the list of the new feature in windows 10 System that will be forensically
investigated and examined using digital forensic tools while following previous digital
forensic processes.
Windows 10 has the following new:
Cortana
Edge browser
Windows 10 Applications (Mail,)
Unified Communications (Facebook, and Twitter)
Notification Centre
New Start Menu
Quick Access(Files and Folders)
One Drive data storage
30 of 85 19 May 2016
6.2 Approach Taken for the Project
There is no single standard process for performing digital forensic investigation on a
system however, the DFRWS Framework and NIST created three different Digital
forensic process that are used for building forensic laboratory and Incident Response and
the core of these process give importance of chain of custody and documentation of the
evidence (DFRWS, 2001).
Instead of using the six phases of Digital Forensic Research Workshop (DFRWS)
process, it’s being decided to adopt the shorter forensic process from the DFRWS six
phases, the adopted phases as following Evidence Collection, Evidence Examination,
Evidence Presentation.
Figure 5: Adopted digital Forensic process for the project – created by author
Evidence Collection: This phase deals
with identifying and collecting the
evidential Items
Evidence Examination: This phase will
used to examine the evidence data that
could be related to the investigating case
Evidence Presentation: The
presentation phase must be discussed the
method used to examining the evidence
and clear documentation which is
presentable to the court of law
Evidence
Collection
Evidence
Examination
Evidence
Presentation
31 of 85 19 May 2016
6.2.1 Lab set up:
Table 2: Virtual machine specifications
Virtual machine specifications:
VMware Workstation Version: 10
Memory: 4 GB
Process: Quad core Process
Hard Drive: 60 GB
Operating System: Windows 10 Home Edition
User /Email: [email protected]
Twitter account name: @FinalYear
Facebook account name: FinalYear
Table 3: Installed Applications Table 4: Forensics Tools Used
Installed Application on the system:
Facebook :
Email:
Forensic Tools Used:
FTK Imager:
OS Forensic
32 of 85 19 May 2016
6.2.2 File System
The new version of Microsoft, Windows 10 supports combinations of three file system
technologies, such as NFTS, (New Technology File System) and FAT32 files system and
Ex FAT which replaced the old FAT 32 file system.
6.2.3 Metadata
Metadata files aid the process of discovering the pertinent information about particular
data such as $MFT, $Volume and $LogFile, see table. Example of the metadata files
adopted from (Solomon & Russinovich, 2000).
Table 5: Metadata files description in NTFS
Metadata File Description of the File
$MFT Store MFT record
$MFTMirr Contain partial backup of MFT
$LogFile Transaction logging file
$Volume Contain volume information such as label,
identifier and version
. Root directory of file system
33 of 85 19 May 2016
6.2.4 Generation of evidence Data
Data generation was done using each of the chosen artefacts of windows 10, and it
involved using the features in scenarios which are close to real life usage including the
use of Cortana for sending emails, setting up reminders and appointment, traffic updates,
and be as inclusive as possible for creation of the evidence data for the image see below
table which shows each features and their expected data.
Table 6: Generated Data
Artefacts: Expected evidence data to find:
Cortana(Digital Personal Assistance ) How Cortana store its data i.e. file format, and
where can it be found in the system,
And any other useful data that could aid
forensic investigation
Notifications Centre: How notification centre store i.e. file format
and where can be found in the system:
Including the Applications and System
notifications.
Start menu: Most recent programs/applications that was
accessed
Quick Access: Most recent files folders that was accessed by
the user
One Drive Storage Files that was saved on the Onedrive folder
Facebook / Twitter application: Where in the system are Facebook and Twitter
applications are store and how they store i.e.
(file format)
And any useful information that can be found
Edge browser (Spartan Project) Browser history such as visited pages
34 of 85 19 May 2016
6.2.5 Test Image Baseline
After setting up the environment system for the project and then created all the evidence
data that was required for the investigation of thus windows 10 artefacts, than the free
version of the FTK Access Data imager was used to image the VMware machine,
however there plenty of other tools that can perform the data acquisitions, but again FTK
is one of the most widely digital forensic tools used to image system.
6.2.6 E01 Image (Image format)
E01 image format was used for the project due to its popularity and supports the most
industry standard software such as Encase and OS Forensic use this type of image format,
the E01 format does error check while acquiring the image, unlike the DD format the E01
format imaged one single which can be compressed if required during the acquisition of
the image.
6.2.7 Acquiring the Images
This section provides a quick overview of how the image was acquired using FTK imager
version 3.1.2 the size of the disk was 60 GB VMware windows 10 home edition, and for
the purpose of the project the entire the disk was imaged.
After the initial start of the FTK imager tool, the following steps was taken to start the
process clicked the file menu and select the create disk image option.
Figure 6: Selecting the interested drive to be imaged
35 of 85 19 May 2016
After selected the driver to imaged then clicked the finish button the proceed to the next
section which was choosing the image type and E01 option was selected, figure 5 shows
the E01 option was selected:
Figure 7: E01 was the chosen image format
After that clicked the finish button again to processed the next part which was fill the
case details such case number, examiner name and etc. see below.
Figure 8: Filing the case details
36 of 85 19 May 2016
6.2.8 Image integrity
At this stage the FTK imager finished imaging successfully and one of the great things
about the FTK imager is that it provided an option to verify the image integrity and it will
create unique pre compute MD5 and SHA-1 hash which will then aid to ensure the
preservation of chain of custody of the image before proceeding to the next part which is
analysing and examining stages of the digital forensic process see figure 7 for MD5 and
SHA-1 hash of the image.
Figure 9: MD5 and SHA-1 hash of the image
37 of 85 19 May 2016
7 Chapter 5:
7.1 Evidence examination
OS Forensics tool was used to perform the forensic examination of the image, which was
acquired using FTK image, the decision to use this was influenced by the digital forensic
evaluation tools project which was done by me and two fellow students last year.
However one of the main reasons which was attracted me to utilize this for my thesis was
the ease of use and the capability of performing the required forensic tasks and optional
features that comes with the tool such as SQLit3, ESED and File explorer, which were
used during the examination of the image.
Before starting performing the examination of these new windows 10 artefacts, first and
foremost, it's crucial to preserve the chain of custody of an forensic evidence and one of
the ways that can be used to ensured that the evidence data was not tampered in any way
is to compare the MD5-hashes of the image which was provided at the completion of the
image acquisition by the FTK image, and any other tools which cable of performing such
comparisons luckily enough OS Forensic has that features to perform hash comparisons,
figure 10 shows that both hashes being compared.
Figure 10: MD5 hashes comparisons
38 of 85 19 May 2016
After confirmation that the image integrity has not been modified, then proceeded to the
next level which was creating the case to be investigated see figure.
Figure 11: Creating new case with OS Forensic
After the case was created, the next step was to import the image into the OS forensic
tool see below figure 12.
Figure 12: Importing the image into OS Forensic
Then the process proceeded into the next section which was the actual examinations of
the new features of windows 10 artefacts.
39 of 85 19 May 2016
7.2 Cortana Artefacts
Cortana also known as digital personal assistant similar to (Apple’s SIRI), and can be
used to perform numerous task such sending emails and setting task reminder as have
discussed in the research area section 4.1.
Cortana use Extensible Storage Engine database known as (ESE) to store its files
configuration within the ESE Cortana has number of artefacts that could be used as aid
when investigated its artefacts and these Databases can be found in the following
directory:
/Users\final\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\App
Data\Indexed DB as can be seen from figure 13 the index.edb was modified by user on
the 29-03-16 around 08:45 and the modification could be anything such as performing
tasks using Cortana and the date created is the data, which the system was installed, see
below.
Figure 13: Cortana Indext.db database
40 of 85 19 May 2016
The Index.edb contains list of database tables which Cortana uses to perform its task, OS
Forensic has built in tool called ESE Database View which was used to view the contents
of the indexDB.edb file see below the list of tables found in the index.edb
Figure 14: Index.edb tables
As can be seen in the above image the indexDB.edb has these tables which Cortana uses
see below these table.
MSysObjects
MSysObjectsShadow
MSysObjids
MSysLocales
HeaderTable
DatabaseAndObjectStoreCatalog
IndexCatalog, MSysDefrag
T-2
T-7
T-9
41 of 85 19 May 2016
Each table can be view its contents by clicking on it see below example
Figure 15: CortanaIndexDB.edb IndexCatalog
CortanaDb.dat has tables that contain the user interactions with the Cortana these tables
can be found on the following directory:
\Users\final\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Loc
alState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat
Looking at the time stamp of the database it shows that the last modified time was 29-03-
16 around 8:41 see below figure 16.
Figure 16: Time Stamps of CortanaDB.dat
42 of 85 19 May 2016
Now let's try to read the contents of the CortanaDb.dat with OS Forensic ESE Database
Viewer, see below.
Figure 17: CortanaDB.dat has 23 Tables
Twenty three tables were found in the CortanaDB.dat database for the sake of the project
let is view the contents of the location Triggers, and reminders, tables using ESE
Database Viewer and see what can be gathered from there.
Figure 18: Cortana Event Location Trigger
43 of 85 19 May 2016
The above image shows Cortana using the location Trigger using the Global Positioning
System (GPS) and was able to recognize the location of the event as "County Dublin
Ireland" and also the reminder table displays the event name, tile, event id and most
importantly date of the event see figure 19.
Figure 19: Cortana task reminder
Another interesting place that could be look at is the Cortana homepage which displays
useful information such as user's cache, and location information, this information can be
found on the following directory.
Users\final\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Loca
lState\cache\ proactive-cache.bin
The proactive-cache.bin uses html and java scripts contents and it contains weather
information such Dublin weather forecast and new headlines, see a quick text search that
I did on the proactive-cache.bin file which displays the following contents "Dublin
weather forecasts" and top 10 news headlines from the file see below figures 20 and 21.
44 of 85 19 May 2016
Figure 20: Cortana shows Dublin Weather Forecast
Cortana showing the top news headlines around the globe see figure 20.
Figure 21: Cortana Shows Top news headlines
Another vital information which can be found are the recent search locations used and the
favorite locations of the users Cortana keeps these information in following directories:
\Users\final\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Loc
alState\Graph\c47150beb1dd4c50\Me see below image the data that was created this
Figure 22: Cortana stores recent location search and favorite places
45 of 85 19 May 2016
After double clicking the files to see if can be readable, Cortana saved my home address
as a favorite place, during the setup at some point it asked me if I want to setup home
address or favorite location so it can recognize if I am home or not see below figure 23
which shows the Cortana saved my home address as my favorite location:
Figure 23: Cortana stored Favorite location
This artefact could provide vital information for building forensic scenario investigation
for example if a user is denying presence in specific vicinity.
46 of 85 19 May 2016
7.3 Notification centre:
The notification Centre provides the real time system and application notifications such
as if email received, or Facebook message, Tweets, reminder, and also the system events
including security/update, etc.
These notifications also known as Toasted Notifications are stored and embedded into
XML file and can be found on the following directory:
Users\final\AppData\Local\Microsoft\Windows\Notifications\appdb.dat.
Figure 24: Notification Folder
The signature file of the appdb.dat Hex starts with first 16 bytes
The format of the Appdb.dat database is currently unknown and not documented - more
testing/research is required. The file signature of the database is HEX 444E 5057 03 00
00 00 see figure 25 however the format of the database is not still known yet.
Figure 25: Notification appdb.dat Hex
47 of 85 19 May 2016
Within that directory there is another name WPNPRMRY.tmp and also there is folder
called " wpnidm" that folder contains images that was probably used by system and
application notifications, these images looks something the is related weather forecast
and news headlines that was generated by the Cortana. However how these images end
up that directory is not clear as for. Coming back to the Notification database appdb.dat
which stores real-time events that are happening with the system see Figure 26,
Notification Centre informs the receipt of Facebook message.
Figure 26: Toast Notification pops up received Facebook message
I have done quick search on the notification centre appdb.dat about initial emails reply
that was received see below.
Figure 27: Toasted notification of received email
48 of 85 19 May 2016
Here is another Toasted notification system alert which was generated by the system with
the following message "Potential Harmful Software detected" see below.
Figure 28: System Notification security threat alert
This sort of information could aid forensic investigation for example if suspect device
sized the notification centre, could be interesting place to look, because it will generally
contain real time events that was happening within the system such as system alerts and
application alerts.
7.4 Windows 10 Start menu:
Start menu contains important information such as recent programs/applications which
the user did run, it is sometimes refereed as LNK files because shortcuts are created on
the start menu folder which links back to the actually directory which the program
reside, and this give the users easy access to these programs any time that are required
again, and this could also provide vital clues about most recent programs/applications on
the system to forensic examiner if he/she conducts digital forensic investigation,
however Microsoft placed common folders called places which contains short cuts such
as File Explorer, documents, downloads , network, and user profile and on the start menu,
49 of 85 19 May 2016
the easiest way to determine if this programs would be look if the creation date and
modified date are different.
However windows 10 does not place such documents files text files including Words,
Excel, Images on the start menu it rather places in a different folder called Quick Access
which will be covered letter sections of the project.
The start menu artifacts can be found here: C\ProgramData\Microsoft\Windows\Start
Menu see below figure 29
Figure 29: Windows 10 start menu files
As can be seen on the above image the created date of the start menu programs and
accessed date are different which tells that there programs which were recently accessed
by the user, let take look on the programs folder on the start menu to see which program
was the most recent use one see figure 30:
Figure 30: Start menu shows most recent Programs
50 of 85 19 May 2016
Skype was the most recent program that was used n the system, again the search can be
narrow down by looking the actual location of the program to does contain any useful
artifacts which aid the investigation, let say if this was an unknown application to us and
we want trace it location in the system, the start menu provides link to the actual original
location of the used program.
Figure 31 reveals the actual location of the Skype application which was on the start
menu after hex view and clicked extracted strings of the Start Menu\Programs\Skype.lnk
file see below.
Figure 31: The actual location of the sky is revealed
Another of finding this would be by look the file metadata tab which shows similar
information such as the relative path of the used program.
51 of 85 19 May 2016
Figure 32: metadata tab again shows useful information about the program
Start menu is one of the popular place that most people go to when launching certain
application and system functions, it will be very useful for forensic investigation
scenario on system as it shows what programs/application was used and it also provides
the date and time that was used.
7.5 Edge Browser:
The Windows 10 edge browsers replaced the previous Microsoft windows browser
internet explorer 10 which was seen in the previous versions of the windows operating
system, the new browser stores its browsing history data as the Extensible Storage
Engine (ESE) database format.
The artifacts of windows 10 Edge browser can be found in the following ESE database:
\Users\final\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppDa
ta\User\Default\Indexed DB along with some text log files that was generated when
database accessed the by the browser see below figure 33,
52 of 85 19 May 2016
Figure 33: Microsoft Edge database.ed
Let examining the contents of the Indexed DB database with the ESE Database Viewer
and see what can be gathered from database.
Figure 34: Edge browser IndexDB.db contains similar database tables with cortana
The above image rings bell as these tables are the same tables that was seen with Cortana
database, and however it is not known the contents of these tables as it is not viewable, it
is also known that the Cortana uses the Edge browser as default browser to perform
online quires.
The below directory contains the Cached files of Microsoft Edge browser
\Users\final\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Mi
crosoftEdge\Cache see below figure 35;
53 of 85 19 May 2016
Figure 35: Microsoft Edge Cached files
As can be seen from the image above, the Edge Cache has four folder which contains
images such as logs of the recants pages viewed by the user again looking at the creation
date and modified date tells us that these were consent changing as the user surfs the net,
it also has container.dat file.
To view the last active Microsoft Edge browsing session it can be found on the following
directory
\Users\final\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Mi
crosoftEdge\User\Default\Recovery\Active, this folder has four data files in it which
would contain the browsing history see figure 36 the contents of the folder.
Figure 36: Microsoft Edge Browsing history
The above image has the Microsoft Edge browsing history of the user and as can be seen
each time the user loads page it get stored here, let's view the one of browsing file and
see if something can be obtained from it.
54 of 85 19 May 2016
Figure 37: Readable Microsoft Browsing history
I just clicked the hex view of the Microsoft Edge browsing history files which is in the
Recovery\Active folder and it is clearly readable format as can be seen in the above
image the user was reading about sporting news and also the national news on the
following website http/www.msn.co/en/sportpremier-league.
Again another interesting place which could look at is the users Favorites websites at the
following directory:
\Users\final\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Mi
crosoftEdge\User\Default\Favorites, which contains list of user favorites websites see
below figure 38.
Figure 38: List of user favorites websites
Microsoft Edge is powerful browsing application which could be used to surf the net, due
to the wide use of popularity previous Microsoft windows browser Internet Explorer, the
new browser could aid forensic investigation by looking at browsing history which can
reveal what the user was doing on the internet particular time.
55 of 85 19 May 2016
7.6 Windows Apps
Windows 10 has been integrated with useful applications such as emails which could
provide ease way of communicating among societies, the application stores its emails as
Extensible Storage Database (ESD).
The Email application stores as a html format and uses in the following directory:
\Users\final\AppData\Local\Comms\Unistore\data to store, see below the figure 39
which shows the email folders along with the file name AggregateCache.uca.
Figure 39: Email Application showing in the Comms\Unistore\data folder
Let's examine hex view of the AggregateCache.uca file first and see what can be
gathered from the that file.
Figure 40: AggregateCache.uca Contains email contacts
56 of 85 19 May 2016
After viewing the Hex/string view of the AggregateCache.uca file which contain names
and these were my email contacts, as can be seen on the above image.
Let examining the other files that are in the same directory and see what they contain see
figure 41.
Figure 41: Contents of the \data\3 folders
As can be seen on the above image which is figure 41, these folders have strange names
which the just alphabetical letters A-to- P and also most of the have been created similar
data, next I will examining each files and see what can be gathered from them.
Folder C looks to have the largest emails sizes see figure 42
Figure 42: Emails found on the Data/3/C folder
57 of 85 19 May 2016
Now I will try to read the contents of these emails in Hex view
Figure 43: Sent and Received emails found on the windows 10 email apps
As can be seen from the above image, there has been exchanged between from the users
"kulmiye" and [email protected] and these emails are displayed html and
text format using the hex/string viewer tab.
Another interesting on folder p which has been mentioned arranging meeting this
Saturday, full message see figure 44 below.
Figure 44: one of the emails shows that there was arranged meeting on Saturday
58 of 85 19 May 2016
Another place which worth looking at is the following directory:
\Users\final\AppData\Local\Comms\UnistoreDB, which contains list of different files
such as store.vol, and tmp.edb and USS.log see the figure 45 which shows the whole
contents of the \Comms\UnistoreDB, folder.
Figure 45: Emails directory \Commons\unistoreDB
The USS.log file could interesting since its log file it would be ideal place to find any
more clues about the exchanged emails, I will use the hex/string viewer tab to see if the
content of the is readable see below.
Figure 46: USS.log file revealed exchanged email and emails address
59 of 85 19 May 2016
AS can be seen from the above image, the windows 10 email application has tones of
features which could be useful the digital forensic investigation, for example looking at
the USS.log file particularly, could clearly be known the sender and receiver email
address and the content of the email which plus bonus for forensic scenario.
7.7 Unified Communications:
Windows 10 has been integrated unified Communications which brings all the social
network applications into one platforms, such as Facebook, Twitter, and One Drive and
To achieve the goal of the project, the following three application Facebook, Twitter and
One Drive of which has been integrated into the new windows 10 OS , the aim of this
section is to investigate and analysis what sort of evidence can be retrieved from these
applications.
7.7.1 Facebook
Facebook, is one of the most widely used social network applications to communicate
with friends, family and colleagues around the world, I signed up Facebook profile using
the same email address of the project which was [email protected] and
add only two friends name salaan sheikh and the other is myself Mohamud Kulmiye.
Facebook stores its data as SQLite3 Format and can be found in the following directory:
\Users\final\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState\10
0011495150561\DB see below figure 47, which shows the actual contents of the
directory.
60 of 85 19 May 2016
Figure 47: Facebook DB directory contents.
Above Image revealed number of interesting SQLite3 files which is worth at looking
them, I will use another great OS Forensic tool built in tool called SQLite Database
Browser to view these contents to see what can be gathered from these files.
First I have opened the Friends.sqlite file with the OS forensic SQLite Database Browser
and it list of friends along with name, contact email, Facebook profile of each friend see
below.
Figure 48: List of Facebook Friends along with their full details
As can be seen the above figure, the tool recovered number of interesting information
such as full names, contacts email and phone, and date of birth of the Facebook friend
which could helpful for forensic investigation.
Notifications.sqlite, contains the Facebook notifications such as friends requests
notifications figure 49 shows that Facebook users has made friend request to the
following Facebook user "Mohamud Kulmiye" see below.
61 of 85 19 May 2016
Figure 49: Facebook Friends Request Notifications
The Messages.sqlite also examined which has six tables that has contents of the
exchanged messages between the users, following details can also be found on that
Message table which contains following details user Id, Message Timestamp, message
body, see below figure 50.
Figure 50: Facebook Message received
The above image shows that the users Salaan sheikh sent the above message, but figure
51, shows that users table which reveals the users that exchange that message see below.
Figure 51: Users table Contains the list of users that exchanged messages
62 of 85 19 May 2016
Another interesting item too look is the Stories.sqlite file which contains the following
list of tables Attachments, Cursors, Feed-Media, Places, and Profiles. let is examining the
following tables profiles and place which looks interest.
Figure 52: Showing the location of Friend of friends
The above image was shows Oldham United Kingdom as location, which seem weird
because the two friends I added to the project email account do not live in the UK nether
do the project email was set up in that location, so this can be concluded that one of the
friends must have another friends who resides in the United Kingdom but it's not known
yet that particular person.
Lets examining the profiles table now and see what can be obtained from there.
Figure 53: Profile table shows that list of friends and groups that one of the friends has
Facebook Setting file setting.dat contain number of information such profile user name,
Profile image URL, and Profile ID, and can be found in the following directory,
\Users\final\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\Settings/setin
gs.dat see figure 54 shows the directory.
63 of 85 19 May 2016
Figure 54: Facebook setting directory
7.7.2 Twitter
For the purpose of the project, Twitter was signed up with the following account name,
@finalyear16 using the same email address that was signed up during the setting up of
windows 10 operating system.
Twitter is the one of the most widely used social networking application to communicate
and posted twits, the objective of this section of the project is to carry out forensic
investigation on this application and see what can be recovered from it Twitter stores
application setting in the following directory
\Users\final\AppData\Local\Packages\9E2F88E3.Twitter_wgeqdkkx372wm\Settings see
figure 55;
Figure 55: Twitter application setting
Looking the above figure, it shows that the has created date and modified date are
different, I also clicked the hex/string view of the setting.dat file to see what can be
obtained see below.
64 of 85 19 May 2016
Figure 56: Hex view of the twitter apps setting.dat file
further research was done about the type of data format that the Twitter uses, and came to
know that the Twitter application use SQLite3 database format which holds number of
tables that contains following information such as Messages, Status, Users,
Search_Quires, see below the full contents of directory;
\Users\final\AppData\Local\Packages\9E2F88E3.Twitter_wgeqdkkx372wm\LocalState\
but could not find the Twitter. SQLite file in that directory instead it has the following
folders and file in there see figure 57.
Figure 57: Twitter Local State directories
After thorough investigation of these folders and the _sessionState.Json file there was
not useful information which could aid investigation further.
65 of 85 19 May 2016
7.7.3 One Drive
One Drive, is online storage application that comes with Microsoft account allows to
synced you files and programs to the cloud storage.
One-Drive synced data can be found in the following location
\Users\final\AppData\Local\Microsoft\OneDrive\settings\Personal.dat, see below image
which shows that directory.
Figure 58: OneDrive data Synced folder
Now I will try to read the c47150beb1dd4c50.da file using the internal view and clicked
the hex/string viewer tap to see any valuable data can be obtain from that file see figure
59.
Figure 59: OneDrive Synced-Dat file
66 of 85 19 May 2016
As can be seen from the above image, there are number of files which have synced to the
cloud storage, these files cannot be read within this directory as their just the names of
the files that was synced to the cloud, But one-Drive stores the local cached files are
stored in the following directory \Users\final\OneDrive\ depending on the file types ,
figure 60 shows the full contents of the directory.
Figure 60: One-Drive Local Cache Files
The above image revealed that two folders are placed within that directory which might
contain some useful data, the next is step is to examining each folder and see the contents
in them.
After opening the Documents folder, the folder contains 3 files and one folder see below.
Figure 61: Documents found in the One-Drive Local cache
67 of 85 19 May 2016
The three files that was recovered from the above documents folder, are two Journal files
and Text file, now let examining these files, I will start with the file name Test.txt, I read
the file using the internal viewer option and see figure 62 which shows the contents of
the file.
Figure 62: One-Drive-Local Cache Text file
One of the Journal files was empty, however there was journal file name interesting.jnt
caught my attention and I was not able to read with tool I had extracted to my desktop
and read with my windows journal see figure 63 which shows the content of that file.
Figure 63: Journal file that was recovered
68 of 85 19 May 2016
The next section was to go back to the pictures folder which was in the One-Drive Local
Cache directory and examining the contents see figure 64.
Figure 64: One-Drive Local Cache Pictures folder
The above image shows that two subfolders and 2 jpg images lets examining the two
subfolders first and see what can be learned from.
After Quick overview of the Camera Roll, and Saved Pictures Folders were empty,
basically no contents were found, now let's view the two images named Gun, Gun2 .jpg
that were found, the above image also revealed that the creation and modified dates for
the two images were same I will put side by side on each of them and see figure 65.
Figure 65: Images found in the One-Drive Local Cache
69 of 85 19 May 2016
One drive logs files can be found on the following directory Users\final\AppData\Local\
Microsoft\One-Drive\logs\Personal which keeps record of all the activities in the one-
drive.
Examining the Windows 10 unified communications (UC), Could be challenging due
examination of large data, however as was seen in the above figures, there are plenty of
artifacts which these (UC) applications leave behind when using and can be use to build
forensic case, One example would be look at the figure 50, If particular Facebook user
was under investigation knowing the his friends list would help, another example which
could useful for forensic scenario, would if windows 10 devices has been seized from
suspect person the digital forensic examiner can look at the One-Drive folder Local cache
folder which has the list of file and folder which actively synced to the cloud and can be
used as aid for build strong case.
7.8 Quick Access folder
Quick Access is another new feature of windows 10 operating system which has replaced
the favorites tape in the windows file explorer, the Quick Access contains the shortest
path to the folder and files that you have been using and these also called the most
frequent folders and recent files used.
The aim of this section is to investigate and examine the contents of Quick Access folder
which has the most recent files and folder which the user was working on and see if they
contain any useful evidence which could aid in the digital forensic investigation.
The Quick Access folder uses the following \User\final\AppData\Roaming\
Microsoft\Windows \Recent\ this directory stores the links of most recently files that was
access or opened by this particular user see figure 66 which shows the contents of the
directory.
70 of 85 19 May 2016
Figure 66: Most recent Files links used by the user
As can be seen from the figure 66, all the files that are in this folder ends with .lnk which
means that the .lnk linking back to the original location which the is residing, I used the
internal hex/string view option to view one of the files and also to find out the original
location of the file see below.
Figure 67: The Original location of the file reveled
Looking at the above image, reminders me the Test.txt file was one of the files that was
synced to the One-Drive cloud storage, all the files with in that directory can be examined
one by one if needed and they should provide overview of the user activates such as
which file was the user working including the date and time, these information could be
valuable information to forensic examiner who is carrying out digital forensic
investigation on particular user activities.
71 of 85 19 May 2016
8 Chapter 6
8.1 Findings
Windows 10 is relatively new operating system and brought along new features that were
not seeing in the previous windows operating systems, however the aim of the project
was to discover and examine the new features of Windows 10 such as how and where
the artifacts of these new features are stored in the windows 10 system hence; carrying
out forensic investigations on the new features of windows 10, including Cortana,
Notification Centre, Edge browser, new Start menu, Quick Access, and Unified
Communication (UC) such as Facebook, Twitter, Skype, below are tables which
summarize the findings of each artifacts of the windows 10 new features.
Table 7: Cortana artifacts source by the author
New artefacts of windows 10 Artefacts Locations on the system Role in the Forensic Process
Cortana(Digital Personal
Assistance)
C:/Users\final\AppData\Local\Packages\Microsoft. Windows.
Cortana_cw5n1h2txyewy\AppData\ ---------------------------------------------------
C:/Users\final\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\Graph\c47150beb1dd4c50\Me
---------------------------------------------------
C:/Users\final\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\cache\ proactive-cache.bin
It uses Extensible Storage Engine database
known as (ESE) to store it is data
It could use to build forensic case
including the tasks that are being
performed with including email sent,
local and online searches and the
locations where the device is being
used and what is being used for.
72 of 85 19 May 2016
Table 8: Notifications Centre artifacts source by the author
Table 9 Start Menu artifacts source by the author
New artifacts of windows 10 Artifacts Locations on the system Role in the Forensic Process
Notifications Centre: C:/Users\final\AppData\Local\Microsoft\Windows\Notifications\appdb.dat.
Notifications are stored and embedded
into XML file format.
The notifications Centre could an
interesting location to look for an
forensic evidences, as it receives real
time alerts including system and
applications such as email, Facebook,
and Twitter messages as they come in
to the system and any other system
warnings such security updates.
New artifacts of windows 10 Artifacts Locations on the system Role in the Forensic Process
Start menu: C\ProgramData\Microsoft\Windows\Start
Menu.
Start menu artifacts ends with .lnk,
because shortcuts are created of the
program/application on the start menu
folder which links back to the actually
directory where the application reside.
Start menu is one of the popular
place that most people go to when
launching certain application and
system functions, it will be very
useful for forensic investigation
scenario on system as it shows what
programs or application was used and
it also provides the date and time that
was used.
73 of 85 19 May 2016
Table 10 Edge browser artifacts source by the author
Table 11 Quick Access artifacts source by the author
New artifacts of windows 10 Artifacts Locations on the system Role in the Forensic Process
Edge-browser: C:/Users\final\AppData\Local\Package
s\Microsoft.MicrosoftEdge_8wekyb3d
8bbwe\AppData\ User\Default\Indexed
DB
The Edge browser uses Extensible
Storage Engine (ESE) database format
to store its artefacts.
The new browser could aid forensic
investigation by looking at browsing
history which can reveal what the
user was doing on the internet
particular time including the sites
that being.
New artifacts of windows 10 Artifacts Locations on the system Role in the Forensic Process
Quick Access: C:\User\final\AppData\Roaming\
Microsoft\Windows \Recent\
Quick access is similar to the new
start menu it provides shortcuts
access to the recently files and
frequent folders and ends with .lnk
Digital Forensic Examiner can get
overview of what folder and files were
recently accessed by an particular user
therefore could be useful when
interested to look most recent files and
folders on windows 10 system.
74 of 85 19 May 2016
Table 12 Email-Apps artifacts source by the author
New artifacts of windows 10 Artifacts Locations on the system Role in the Forensic Process
Email application \Users\final\AppData\Local\Comm
s\Unistore\data
E-mail application uses Extensible
Storage Database (ESD) to store
its artefatcs.
windows 10 email application
has tones of features which
could be useful the digital
forensic investigation, for
example looking at the
USS.log file particularly
75 of 85 19 May 2016
Table 13: Unified Communications artifacts source by the author
New artifacts of windows 10 Artifacts Locations on the system Role in the Forensic Process
Windows 10 unified
communications (UC),
Facebook and Twitter both store their data
as SQLite3 Format.
Examining the Windows 10 unified
communications (UC), Could be
challenging examine due the large data
that it contains, however valuable
information which could aid forensic
investigation can be gathered from each
UC including looking at what the
person was doing Facebook and Twitter
Facebook: C:\Users\final\AppData\Local\Packages\F
acebook.Facebook_8xx8rvfyw5nnt\Local
State\100011495150561\DB
----------------------------------------
C:/Users\final\AppData\Local\Packages\F
acebook.Facebook_8xx8rvfyw5nnt\Settin
gs/setings.da
Twitter: C:/Users\final\AppData\Local\Packages\9
E2F88E3.Twitter_wgeqdkkx372wm\Local
State\
One Drive Storage: C:\Users\final\AppData\Local\Microsoft\
OneDrive\settings\Personal.da
76 of 85 19 May 2016
8.2 Research Questions and answers:
Where in the system can be found the new features of windows 10.
The new features of windows 10 comes under two sections: OS artifacts and Application
artifacts, this research is looking at both sets of artifacts, for example Cortana (Personal
Digital assistance), Notification centre, new Start menu, Quick Access folder are seen as
Operating system artifacts and the other features such as the edge browser, unified
Communications including Facebook, Twitter, One-drive are known as the application
artifacts, this was discussed in more detail in Chapter 3 on the research area section 5.2,
both artifacts can be found under the C:\User\username\ directory.
Determine how these new artifacts can be used to help build presentable evidence in a court
of law?
As seen in chapter 5 on the evidence examination section of this document, these new
features of windows 10 operating system provide an artifacts which could be used to
build forensic scenarios for example the new start menu and the Quick access might
provide an evidence which shows the users activities including what files and directories
and programs/applications was used.
Another artifacts which could be provided a permissible evidence are the Cortana (digital
personal assistance), Notification centre and Email application, for example Cortana
artifacts which can be located such as the location where the device was used, and the
tasks that was performed including setting task reminder, emails sent and online search
queries.
The notifications centre can be gathered the toast notifications that came into the system
including emails and Facebook and Twitter messages, the email application can be used
as permissible evidence as they show who sent an email and the content of the emails as
well as the date and time it was sent.
77 of 85 19 May 2016
What artifacts can be found from the Unified Communications of windows 10?
Unified communications leaves artifacts on the system which could be useful for building
forensic case, for example One-Drive is online storage that come with windows 10
operating system, artifacts such as files that was synced to the online storage can be
found on the system, Facebook and Twitter exchanged message chats including posts and
twits can be found on the system which these applications leave behind.
9 Chapter 7
9.1 Conclusions
The new operating system of Microsoft Windows 10 is rising slowly and gradually however
Microsoft is driving the growth of the new operating system in terms of their offer to switch for
free from the any of the previous windows operating system such as windows 8, 8.1 and windows
7, the market share of January this year was 11.85% when compared to December last year
(Khandelwal, 2016).
Microsoft is targeting for the new operating system windows 10 to be used by more than one
billion devices in the next 2 to 3 years time (Khandelwal, 2016), however the rapid growth of
windows 10 users will result in increased challenges for the digital forensic professionals and law
enforcements who need to acquire evidence within the new features of windows 10 operating
system.
The aim of the research was to examine forensically the new features of windows 10 artefacts and
challenges that could be poised to the digital forensic examiner who might need to acquire
evidence from these new features of windows 10.
A number of research questions were developed to aid the research and these questions were
surrounding the new features of windows 10 and how these new features’ artefacts can be used to
build presentable forensic evidence.
OS Forensic was used to achieve the forensic examination part of the research, the tool had some
powerful plug-in which was very useful during the examination of the image, some of these plug-
ins were including the SQLit3, ESE Database viewer.
78 of 85 19 May 2016
Valuable data was recovered during the forensic examination of the image which could be vital
evidence in real life forensic scenarios, Cortana (Digital personal Assistance) is one of the
features that gathers a wealth of evidences data which could be play important role of building
forensic case for example figure 22 in the section 7.2 can be used to verify location of user who
might be denying being a particular location.
After completing the forensic examinations as well as the research, the project rapped up
by answering the research questions and answers that was developed for this paper.
9.2 Limitation of the Research
The thesis mainly focuses on the challenges that could be faced by the forensic examiner
from the new features of windows 10, such as locating the digital evidence artefacts from
these new features of Windows 10 Operating System.
Although windows 10 brought along many new features, due the time constraint the
thesis will only examine some of the new features, the new features which were
examined are; Cortana, Edge browser, Email Apps, Facebook Apps, Twitter Apps,
Notification centre, New start menu, Quick Access, and One-Drive.
Another limitation of the thesis was not using a physical environment such as a laptop or
a desktop rather than a virtual machine as it would be provide more realistic scenarios,
however the due to lack of resource and time virtual environment has been used to install
the windows 10 operating system and an evidence set was created which mimicked a use
in a real environment.
The final limitations of the research was the digital forensic tool and process that was
used as part of the thesis research, although there was many digital forensic tools that
could have been used to perform the forensic investigation part for the thesis, these tools
had to be evaluated in terms of cost, functionality and ease of use before deciding on tool,
the challenge was to find a tool which matched all the mentioned criteria and at the same
time compatible with Windows 10.
79 of 85 19 May 2016
For the forensic process, any of the existing forensic process could have been used for the
project, and the plan was to use the six phases of the Digital Forensic Research Workshop
(DFRWS).
However, since the aim of the thesis was to collect evidence, examining, and then report
on the findings, it was decide to create a shorter digital forensic process then the DFRWS,
and will make use of the following three phases Evidence collection, Evidence
examinations, and Evidence reporting.
9.3 Further Research:
Although the goal of the project was reached which was to discover and examine the new
features of Windows 10 such as how and where the artifacts of these new features store in the
windows 10 system and also answered research questions that was developed for the purpose of
this project. However given more time with project I would have done more research about how
to read the CortanaDB.dat tables, which could hold valuable details.
Windows 10 is relatively new operating system the features that was researched in this
were few of the many features that came with new operating system, given more time I
would like to examine the windows 10 registry files and directories which could be
richness of forensic artifacts.
80 of 85 19 May 2016
10 Chapter 8
10.1 References
de Looper, C. (2015) The top 10 features of Microsoft windows 10. Available at:
http://www.techtimes.com/articles/75163/20150810/microsoft-windows-10-top-features-
prompted-upgrade.htm (Accessed: 9 March 2016).
Protalinski, E. (2016) Windows 10 passes 10% market share, overtakes windows 8.1 and
windows XP. Available at: http://venturebeat.com/2016/02/01/windows-10-passes-10-
market-share-overtakes-windows-8-1-and-windows-xp/ (Accessed: 17 March 2016).
Whitney, L. (2016) Windows 10 overtakes XP and 8.1, still lags behind 7. Available at:
http://www.cnet.com/news/windows-10-overtakes-xp-8-1-in-desktop-os-market/
(Accessed: 28 March 2016).
Kelly, G. (2015) Windows 10 vs windows 8 vs windows 7: What’s the
difference? Available at: http://www.forbes.com/sites/gordonkelly/2015/08/02/windows-
10-vs-windows-8-vs-windows-7-whats-the-difference/#56c213a5dd22 (Accessed: 28
March 2016).
Pollitt, M. (2004) Computer forensics: An approach to evidence in cyberspace. Available
at: http://www.digitalevidencepro.com/Resources/Approach.pdf (Accessed: 5 April
2016).
Patrick Siewert: (2015) Pro digital forensic consulting: Keep windows 10 off your
forensic machine (for now). Available at: http://prodigital4n6.blogspot.ie/2015/08/keep-
windows-10-off-your-forensic.html (Accessed: 28 March 2016).
Branscombe, M. (2015) 20 smart new and improved features in windows 10. Available
at: http://www.techradar.com/news/software/operating-systems/10-great-new-features-
in-windows-10-1267365 (Accessed: 28 March 2016).
81 of 85 19 May 2016
Warren, T. (2012) Windows7 hits 630 million licenses sold, now running on 50 percent
of enterprise desktops.Retrieved from http://www.theverge.com/2012/7/9/3146777/
windows-7-630-millionlicenses- sold-enterprise-adoption (Accessed: 28 March 2016).
Anderson, K., McDonald, K., Bowden, Z., Giret, L., Bacchus, A., Brengel, K. and
Shanahan, D. (2016) Your source for windows 10 and Microsoft news. Available at:
http://www.winbeta.org/news/windows-10-finally-dethroned-windows-7-popular-os-
steam-gamersretrievedon 03/05/2016 (Accessed: 28 March 2016).
Forensic KB. (2011) Computer Forensic, Malware analysis and Digital Investigations.
Available at: http://www.forensickb.com/2010/01/forensicreview- of-windows-7-part-
v.html (Accessed: 14 May 2016).
Khandelwal, S. (2016) Microsoft starts automatically pushing windows 10 to all windows
7 and 8.1 users. Available at: http://thehackernews.com/2016/02/windows-10-
upgrade.html (Accessed: 7 May 2016).
82 of 85 19 May 2016
10.2 Bibliography
Nelson, B., Phillips, Enfinger, F., Steuart, C: (2008) " Guide to Computer Forensics and
Investigations"
A.Tanner and D.Dampier,“An Approach for Managing Knowledge in Digital Forensics
Examinations”, Int. J.Comput.Sci. Secur., vol.4,no.5,(2010)
Solomon & Russinovich, (2000) "Analysis of hidden data in the NTFS file system"
Analysis of hidden data in the NTFS file system. Available at:
http://www.forensicfocus.com/hidden-data-analysis-ntfs (Accessed: 20 April 2016).
Richard Adams (2013) Paper:"Advanced Data Acquisition Model (ADAM)"
Bott, E. (2015) Introducing windows 10 for it professionals, preview edition. Microsoft
Press.
Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier.
ISBN 0-12-163104-4.
83 of 85 19 May 2016
11 Appendices
11.1 Appendix A
Adapted from Microsoft US, (2015).
Figure 68: Windows comparisons
84 of 85 19 May 2016
11.2 Appendix B
(adopted from the Microsoft)
Figure 69: Windows 10 start menu combines the live tiles of windows 8 and windows 7 style
85 of 85 19 May 2016
11.3 Appendix C SANS-Windows artifacts analysis poster
Figure 70: SANS windows artifacts Analysis Evidence (Appendix C)