ilide.info-windows-10-forensics-os-evidentiary-artefacts-pr_00b18e0f93f119c9eda7f0b0e6be72d6.pdf
MoussaFatah
8 views
43 slides
Aug 26, 2024
Slide 1 of 43
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
About This Presentation
Gkk hhl
Slide Content
Windows 10
Forensics
OS Evidentiary
Artefacts
Version 1.5 (Build 10240)
Brent Muir–2015
Forensics
OS Evidentiary
Artefacts
Version 1.5 (Build 10240)
Brent Muir–2015
Topics
OS Artefacts :
▫File Systems / Partitions
▫Registry Hives
▫Event Logs
▫Prefetch
▫Shellbags
▫LNK Shortcuts
▫Thumbcache
▫Recycle Bin
▫Volume Shadow Copies
▫Windows Indexing Service
▫Cortana (Search)
▫Notification Centre
▫Picture Password
Application Artefacts:
▫Windows Store
▫Edge Browser (previously Spartan)
Legacy Internet Explorer
▫Email (Mail application)
▫Unified Communication
Twitter
Skype
OneDrive
▫Microsoft Office Apps
Word
Excel
PowerPoint
OneNote
▫Maps
OS Artefacts :
▫File Systems / Partitions
▫Registry Hives
▫Event Logs
▫Prefetch
▫Shellbags
▫LNK Shortcuts
▫Thumbcache
▫Recycle Bin
▫Volume Shadow Copies
▫Windows Indexing Service
▫Cortana (Search)
▫Notification Centre
▫Picture Password
Application Artefacts:
▫Windows Store
▫Edge Browser (previously Spartan)
Legacy Internet Explorer
▫Email (Mail application)
▫Unified Communication
Skype
OneDrive
▫Microsoft Office Apps
Word
Excel
PowerPoint
OneNote
▫Maps
Part 1
File Systems / Partitions
•Supported File Systems:
▫NTFS, Fat32, ExFat
•Default Partition structure:
▫“Windows” –core OS (NTFS)
▫“Recovery” (NTFS)
▫“Reserved”
▫“System”–UEFI (Fat32)
▫“Recovery Image” (NTFS)
•Supported File Systems:
▫NTFS, Fat32, ExFat
•Default Partition structure:
▫“Windows” –core OS (NTFS)
▫“Recovery” (NTFS)
▫“Reserved”
▫“System”–UEFI (Fat32)
▫“Recovery Image” (NTFS)
Registry Hives
•Registry hives format has not changed
▫Can be examined with numerous tools
(e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.)
•Location of important registry hives:
▫\Users\user_name\NTUSER.DAT
▫\Windows\System32\config\DEFAULT
▫\Windows\System32\config\SAM
▫\Windows\System32\config\SECURITY
▫\Windows\System32\config\SOFTWARE
▫\Windows\System32\config\SYSTEM
•Registry hives format has not changed
▫Can be examined with numerous tools
(e.g. RegistryBrowser, RegistryViewer, X-Ways Forensics, etc.)
•Location of important registry hives:
▫\Users\user_name\NTUSER.DAT
▫\Windows\System32\config\DEFAULT
▫\Windows\System32\config\SAM
▫\Windows\System32\config\SECURITY
▫\Windows\System32\config\SOFTWARE
▫\Windows\System32\config\SYSTEM
Event Logs
•EVTX log format has not changed
▫Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
•Location of EVTX logs:
▫\Windows\System32\winevt\Logs\
•EVTX log format has not changed
▫Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
•Location of EVTX logs:
▫\Windows\System32\winevt\Logs\
Event Logs –Windows Store
•\Windows\System32\winevt\Logs\Microsoft-
Windows-Store%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-Install-
Agent
2002 2001 Installing application
Windows-
ApplicationModel-
Store-SDK
5 5 Searchquery strings
(e.g. query=twitter)
•\Windows\System32\winevt\Logs\Microsoft-
Windows-Store%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-Install-
Agent
2002 2001 Installing application
Windows-
ApplicationModel-
Store-SDK
5 5 Searchquery strings
(e.g. query=twitter)
Event Logs –Windows Store
•\Windows\System32\winevt\Logs\Microsoft-
Windows-AppXDeploymentServer%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-
AppXDeploy
ment-Server
10002 3 Application
deployment
•\Windows\System32\winevt\Logs\Microsoft-
Windows-AppXDeploymentServer%4Operational.evtx
Source EventID Category Function
Microsoft-
Windows-
AppXDeploy
ment-Server
10002 3 Application
deployment
Prefetch
•Location of Prefetch files:
▫\Windows\Prefetch\
•Location of Prefetch files:
▫\Windows\Prefetch\
Shellbags
•NTUSER.dat
▫\SOFTWARE\Microsoft\Windows\Shell\Bags\
•UsrClass.dat
•NTUSER.dat
▫\SOFTWARE\Microsoft\Windows\Shell\Bags\
•UsrClass.dat
LNK Shortcuts
•LNK format has not changed
▫Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
•Useful fields:
▫Hostname
▫MAC Address
▫Volume ID
▫Owner SID
▫MAC Times
•LNK format has not changed
▫Can be examined with numerous tools
(e.g. X-Ways Forensics, etc.)
•Useful fields:
▫Hostname
▫MAC Address
▫Volume ID
▫Owner SID
▫MAC Times
Thumbcache
•Location of Thumbcache files:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\Explorer\
•Location of Thumbcache files:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\Explorer\
Recycle Bin
•Recycle Bin artefacts have not changed
▫$I
Still provides original file name and path
▫$R
Original file
•Recycle Bin artefacts have not changed
▫$I
Still provides original file name and path
▫$R
Original file
Volume Shadow Copies
•vssadmintool still provides list of current VSCs
•vssadmintool still provides list of current VSCs
Windows Indexing Service
•Windows indexing service is an evidentiary gold mine
▫Potentially storing emails and other binary items
Great as dictionary list for password cracking
•Stored in an .EDB file
▫Can be interpreted by EseDbViewer, ESEDatabaseView or X-
Ways Forensics
If “dirty” dismount, need to use esentutl.exe
•In Windows 10 stored in the following directory:
▫C:\ProgramData\Microsoft\Search\Data\Applications\Windo
ws\Windows.edb
•Windows indexing service is an evidentiary gold mine
▫Potentially storing emails and other binary items
Great as dictionary list for password cracking
•Stored in an .EDB file
▫Can be interpreted by EseDbViewer, ESEDatabaseView or X-
Ways Forensics
If “dirty” dismount, need to use esentutl.exe
•In Windows 10 stored in the following directory:
▫C:\ProgramData\Microsoft\Search\Data\Applications\Windo
ws\Windows.edb
Cortana
•Windows 10 features “Cortana”, a personal assistant, which expands upon the unified
search platform introduced in Windows 8,
▫Search encompasses local files, Windows Store & online content
▫Can set reminders
▫Can initiate contact (e.g. write emails)
•Cortana Databases (EDBs):
▫\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\Ap
pData\Indexed DB\IndexedDB.edb
▫\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\Loc
alState\ESEDatabase_CortanaCoreInstance\CortanaCireDb.dat
Interesting Tables:
LocationTriggers
▫Latitude/Longitude and Name of place results
Geofences
▫Latitude/Longitude for where location based reminders are triggered
Reminders
▫Creation and completion time (UNIX numeric value)
•Windows 10 features “Cortana”, a personal assistant, which expands upon the unified
search platform introduced in Windows 8,
▫Search encompasses local files, Windows Store & online content
▫Can set reminders
▫Can initiate contact (e.g. write emails)
•Cortana Databases (EDBs):
▫\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\Ap
pData\Indexed DB\IndexedDB.edb
▫\Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\Loc
alState\ESEDatabase_CortanaCoreInstance\CortanaCireDb.dat
Interesting Tables:
LocationTriggers
▫Latitude/Longitude and Name of place results
Geofences
▫Latitude/Longitude for where location based reminders are triggered
Reminders
▫Creation and completion time (UNIX numeric value)
Cortana
•The following databases contain a list of contacts
synched from email accounts:
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg.tx
t
•The following databases contain a list of contacts
synched from email accounts:
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg.tx
t
Notification Centre
•The following databases contain a list of
notifications:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\Notifications\appdb.dat
Toast notifications are stored in embedded XML
•The following databases contain a list of
notifications:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\Notifications\appdb.dat
Toast notifications are stored in embedded XML
Picture Password
•“Picture Password” is an alternate login method where
gestures on top of a picture are used as a password
•This registry key details the path to the location of the “Picture
Password” file:
▫HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\Current
Version\Authentication\LogonUI\PicturePassword\user_GUID
•Path of locally stored Picture Password file:
▫C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\Re
adOnly\PicturePassword\background.png
•“Picture Password” is an alternate login method where
gestures on top of a picture are used as a password
•This registry key details the path to the location of the “Picture
Password” file:
▫HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\Current
Version\Authentication\LogonUI\PicturePassword\user_GUID
•Path of locally stored Picture Password file:
▫C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\Re
adOnly\PicturePassword\background.png
Part 2
Applications (Apps)
•Applications (Apps) that utilise the Metro Modern UI are treated
differently to programs that work in desktop mode
•Apps are installed in the following directory:
▫\Program Files\WindowsApps\
•Settings and configuration DBs are located in following directories:
▫\Users\user_name\AppData\Local\Packages\package_name\LocalSt
ate\
Two DB formats:
SQLite DBs (.SQL)
Jet DBs (.EDB)
•Applications (Apps) that utilise the Metro Modern UI are treated
differently to programs that work in desktop mode
•Apps are installed in the following directory:
▫\Program Files\WindowsApps\
•Settings and configuration DBs are located in following directories:
▫\Users\user_name\AppData\Local\Packages\package_name\LocalSt
ate\
Two DB formats:
SQLite DBs (.SQL)
Jet DBs (.EDB)
Windows Store
•Apps are purchased/installed via the Windows Store
•During the Insider Preview their was a Beta Store
which contained Windows 10 –compatible Apps
(e.g. Microsoft Office Apps)
•Registry key of installed applications:
▫HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\App
x\AppxAllUserStore\Applications\
•List of deleted applications:
▫HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\App
x\AppxAllUserStore\Deleted\
•Apps are purchased/installed via the Windows Store
•During the Insider Preview their was a Beta Store
which contained Windows 10 –compatible Apps
(e.g. Microsoft Office Apps)
•Registry key of installed applications:
▫HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\App
x\AppxAllUserStore\Applications\
•List of deleted applications:
▫HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\App
x\AppxAllUserStore\Deleted\
Edge Browser
•New web browser and rendering engine (Spartan)
•Same as IE10, records no longer stored in Index.DAT files, stored in EDB
•Edge settings are stored in the following file:
▫\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\Microso
ftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb
•Edge cache stored in the following directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001\M
icrosoftEdge\Cache\
•Last active browsing session stored:
▫\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\Microsoft
Edge\User\Default\Recovery\Active\
•New web browser and rendering engine (Spartan)
•Same as IE10, records no longer stored in Index.DAT files, stored in EDB
•Edge settings are stored in the following file:
▫\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\Microso
ftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.edb
•Edge cache stored in the following directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001\M
icrosoftEdge\Cache\
•Last active browsing session stored:
▫\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\Microsoft
Edge\User\Default\Recovery\Active\
Browser History Records
•Edge (and IE) history records stored in the following
database:
▫\Users\user_name\AppData\Local\Microsoft\Wind
ows\WebCache\WebCacheV01.dat
This is actually an .EDB file
Can be interpreted by EseDbViewer or
ESEDatabaseView
Might be a “dirty” dismount, need to use esentutl.exe
Database also stores Cookies
•Edge (and IE) history records stored in the following
database:
▫\Users\user_name\AppData\Local\Microsoft\Wind
ows\WebCache\WebCacheV01.dat
This is actually an .EDB file
Can be interpreted by EseDbViewer or
ESEDatabaseView
Might be a “dirty” dismount, need to use esentutl.exe
Database also stores Cookies
Internet Explorer (legacy)
•Internet Cache stored in this directory:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\INetCache\
•Internet Cookies stored in this directory:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\INetCookies\
•Internet Cache stored in this directory:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\INetCache\
•Internet Cookies stored in this directory:
▫\Users\user_name\AppData\Local\Microsoft\W
indows\INetCookies\
Email (Mail application)
•Body of emails are stored in TXT or HTML format
▫Can be analysed by a number of tools
▫Stored in the following directory:
\Users\user_name\AppData\Local\Comms\Unistore\data\
•Metadata of emails are stored in the following DB (EDB
format):
▫\Users\user_name\AppData\Local\Comms\UnistoreDB\store.vol
Attachments
Email header
Contact information
•Body of emails are stored in TXT or HTML format
▫Can be analysed by a number of tools
▫Stored in the following directory:
\Users\user_name\AppData\Local\Comms\Unistore\data\
•Metadata of emails are stored in the following DB (EDB
format):
▫\Users\user_name\AppData\Local\Comms\UnistoreDB\store.vol
Attachments
Email header
Contact information
Unified Communication
•Unified Communication (UC) is a built-in Microsoft
application that brings together all of the following social
media platforms (by default):
▫Appears to be scaled back from Windows 8.x (less
integrated as previous People App)
•UC settings are stored in the following DB:
▫\Users\user_name\AppData\Local\Packages\micro
soft.windowscommunicationsapps…\LocalState\livec
omm.edb
•Unified Communication (UC) is a built-in Microsoft
application that brings together all of the following social
media platforms (by default):
▫Appears to be scaled back from Windows 8.x (less
integrated as previous People App)
•UC settings are stored in the following DB:
▫\Users\user_name\AppData\Local\Packages\micro
soft.windowscommunicationsapps…\LocalState\livec
omm.edb
Unified Communication
•Interesting Tables:
▫Account
SourceID
List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)
DomainTag
Username for each account
▫Contact
List of synched contacts across all account platforms
▫Event
Calendar entries (including birthdays of contacts if synched to Windows Live) and locations
▫MeContact
Further details about owner accounts
▫Person and PersonLink
Further details about each contact including what account they link back to (e.g Skype)
•Interesting Tables:
▫Account
SourceID
List of accounts (e.g WL = Windows Live, Skype, TWITR, LI = LinkedIn)
DomainTag
Username for each account
▫Contact
List of synched contacts across all account platforms
▫Event
Calendar entries (including birthdays of contacts if synched to Windows Live) and locations
▫MeContact
Further details about owner accounts
▫Person and PersonLink
Further details about each contact including what account they link back to (e.g Skype)
Unified Communication
•Locally cached contact entries are stored in this directory:
▫\Users\user_name\AppData\Local\Packages\microsoft.windowscom
municationsapps_xxxxx\LocalState\Indexed\LiveComm\xxxxx\xxxxx\
People\AddressBook\
•Contact photos are stored in this directory (JPGs):
▫\Users\user_name\AppData\Local\Packages\microsoft.windowscom
municationsapps_xxxx\LocalState\LiveComm\xxxx\xxxx\UserTiles\
•Locally cached contact entries are stored in this directory:
▫\Users\user_name\AppData\Local\Packages\microsoft.windowscom
municationsapps_xxxxx\LocalState\Indexed\LiveComm\xxxxx\xxxxx\
People\AddressBook\
•Contact photos are stored in this directory (JPGs):
▫\Users\user_name\AppData\Local\Packages\microsoft.windowscom
municationsapps_xxxx\LocalState\LiveComm\xxxx\xxxx\UserTiles\
Twitter App
•History DB located in following file:
▫\Users\user_name\AppData\Local\Packages\xxxx.Twitte
r_xxxxxxx\LocalState\twitter_user_id\twitter.sqlite
•SQLite3 format DB
▫11 Tables in DB
Relevant tables:
messages –holds tweets & DMs
search_queries –holds searches conducted in Twitter app by
user
statuses –lists latest tweets from accounts being followed
users –lists user account and accounts being followed by user
•History DB located in following file:
▫\Users\user_name\AppData\Local\Packages\xxxx.Twitte
r_xxxxxxx\LocalState\twitter_user_id\twitter.sqlite
•SQLite3 format DB
▫11 Tables in DB
Relevant tables:
messages –holds tweets & DMs
search_queries –holds searches conducted in Twitter app by
user
statuses –lists latest tweets from accounts being followed
users –lists user account and accounts being followed by user
Twitter App
•Settings located in file:
▫\Users\user_name\AppData\Local\Packages\xx
xxx.Twitter_xxxx\Settings\settings.dat
Includes user name (@xxxxx)
Details on profile picture URL
Twitter ID number
•Settings located in file:
▫\Users\user_name\AppData\Local\Packages\xx
xxx.Twitter_xxxx\Settings\settings.dat
Includes user name (@xxxxx)
Details on profile picture URL
Twitter ID number
Skype App (legacy)
•The Skype App was discontinued with Windows
10
▫Windows 10 prompts you to download the desktop
Skype application
•The Skype App was discontinued with Windows
10
▫Windows 10 prompts you to download the desktop
Skype application
OneDrive App
•Built-in by default, API allows all programs to save
files in OneDrive
•List of Synced items located in file:
▫\Users\user_name\AppData\Local\Microsoft\Wind
ows\OneDrive\settings\xxxxxxxx.dat
•Locally cached items are stored in directory:
▫\Users\user_name\OneDrive\
•Built-in by default, API allows all programs to save
files in OneDrive
•List of Synced items located in file:
▫\Users\user_name\AppData\Local\Microsoft\Wind
ows\OneDrive\settings\xxxxxxxx.dat
•Locally cached items are stored in directory:
▫\Users\user_name\OneDrive\
Microsoft Office Apps
•With the release of the Windows Insider
program Microsoft introduced the Office Mobile
Apps
▫If you have a valid Office365 account then you can
edit and create documents
Otherwise these Apps are read-only
•With the release of the Windows Insider
program Microsoft introduced the Office Mobile
Apps
▫If you have a valid Office365 account then you can
edit and create documents
Otherwise these Apps are read-only
Word App
•List of recent documents stored in the following file
(XML):
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Word_xxxx\LocalState\AppData\Local\Office\16.0
\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Word_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
•List of recent documents stored in the following file
(XML):
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Word_xxxx\LocalState\AppData\Local\Office\16.0
\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Word_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
Excel App
•List of recent documents stored in the following file
(XML):
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Excel_xxxx\LocalState\AppData\Local\Office\16.0
\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Excel_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
•List of recent documents stored in the following file
(XML):
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Excel_xxxx\LocalState\AppData\Local\Office\16.0
\MruServiceCache\xxxx_LiveId\Excel\Documents_en-AU
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.
Office.Excel_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
PowerPoint App
•List of recent documents stored in the following file
(XML):
▫\Users\user_name\AppData\Local\Packages\Microsoft.Office.
PowerPoint_xxxx\LocalState\AppData\Local\Office\16.0\Mru
ServiceCache\xxxx_LiveId\Excel\Documents_en-AU
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.Office.
PowerPoint_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
•List of recent documents stored in the following file
(XML):
▫\Users\user_name\AppData\Local\Packages\Microsoft.Office.
PowerPoint_xxxx\LocalState\AppData\Local\Office\16.0\Mru
ServiceCache\xxxx_LiveId\Excel\Documents_en-AU
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.Office.
PowerPoint_xxxx\LocalState\OfficeFileCache\
Files stored as .FSD extension actually data embedded
Can be manually carved from FSD file
OneNote App
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.Of
fice.OneNote_xxxx\LocalState\AppData\Local\OneNote\1
6.0\
•Files stored as xxxx.bin extension
▫Encoded binary files
▫Embedded graphics such as PNG or JPG
•Cached files stored in this directory:
▫\Users\user_name\AppData\Local\Packages\Microsoft.Of
fice.OneNote_xxxx\LocalState\AppData\Local\OneNote\1
6.0\
•Files stored as xxxx.bin extension
▫Encoded binary files
▫Embedded graphics such as PNG or JPG
Maps App
•Recent places stored in this file (XML):
▫\Users\user_name\AppData\Local\Packages\M
icrosoft.WindowsMaps_xxxx\LocalState\Graph\
xxxx\Me\00000000.ttl
Latitude/Longitude
Dates modified (searched)
•Recent places stored in this file (XML):
▫\Users\user_name\AppData\Local\Packages\M
icrosoft.WindowsMaps_xxxx\LocalState\Graph\
xxxx\Me\00000000.ttl
Latitude/Longitude
Dates modified (searched)
Part 3
Memory Acquisition
•WinPMEM (tested versions 1.6.2 & 2.0.1)
▫Run as Administrator
Has to extract driver to local temp location
V1.6.2 running process ~10MB
V2.0.1 running process ~80MB
•FTK Imager
▫Run as Administrator
Running process ~15MB
•WinPMEM (tested versions 1.6.2 & 2.0.1)
▫Run as Administrator
Has to extract driver to local temp location
V1.6.2 running process ~10MB
V2.0.1 running process ~80MB
•FTK Imager
▫Run as Administrator
Running process ~15MB
Live Disk Acquisition
•FTK Imager
▫Can be used for Physical or Logical acquisition
•X-Ways Forensics
▫Can be used for Physical or Logical acquisition
•FTK Imager
▫Can be used for Physical or Logical acquisition
•X-Ways Forensics
▫Can be used for Physical or Logical acquisition
Resources
•FTK Imager
▫http://accessdata.com/product-download?/support/product-
downloads
•Nirsoft ESEDatabaseView
▫http://www.nirsoft.net/utils/ese_database_view.html
•RegistryBrowser
▫https://lockandcode.com/software/registry_browser
•WinPMEM
▫https://github.com/google/rekall/releases
•FTK Imager
▫http://accessdata.com/product-download?/support/product-
downloads
•Nirsoft ESEDatabaseView
▫http://www.nirsoft.net/utils/ese_database_view.html
•RegistryBrowser
▫https://lockandcode.com/software/registry_browser
•WinPMEM
▫https://github.com/google/rekall/releases
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8
- Slides 43
- Age 469 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
35 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
38 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
34 views
14
Fertility awareness methods for women in the society
Isaiah47
31 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
30 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
31 views