In this chapter, we will cover the following recipes:
- Parsing Windows 10 Notifications
- Cortana forensics
- OneDrive forensics
- Dropbox forensics
- Windows 10 mail app
- Windows 10 Xbox app
In this chapter, we will cover the following recipes:
The advent of Windows 10 has caused controversy among users and forensic investigators alike. Many end users have concerns regarding privacy and security, since the privacy settings that are automatically set up on devices with Windows 10 are not at all strong. Others have expressed concerns about the way Windows machines are now forcing users to migrate to Windows 10, even if they are happy with their current versions.
From a forensic perspective, Windows 10 presents a number of new and unique challenges. Most of the programs have been modified to look and feel more like the applications you would see on a smartphone or tablet, and a lot of them behave quite differently from their predecessors. The advent of Cortana has given forensic investigators even more data to work with, and the amount of data has also increased in line with the interconnected nature of many...
Windows 10 features notifications, called Toast notifications, which pop up in the bottom right of the screen. These can be set up for a number of different requirements, but are on by default for news relating to application updates and security.
It is possible for users to set up notifications to remind themselves of tasks, as well as events and email alerts. In this chapter, we will look at the usefulness of Windows 10 notifications in forensic investigations, and how to parse them.
Details of notifications are stored in the following location:
\Users\Username\AppData\Local\Microsoft\Windows\Notifications
The name of the database will differ depending on the build version of...
Cortana is Microsoft's voice-activated assistant, but it does much more than just respond to commands. Cortana links in across different devices, giving reminders when required and getting to know the user. It can recognize an individuals voice and handwriting, among other things. For this reason, many Windows users have turned the Cortana function off due to privacy concerns - particularly because, by default on some machines, Cortana is always on, even when the machine is in sleep mode.
Cortana can also respond to specific occurrences - for example, a user can instruct Cortana to remind them to say something to a person next time they call. This is undoubtedly a useful tool for many, and also a mine of forensic information.
OneDrive is Microsoft's cloud service, which allows users to save their data on the cloud and access it from any machine, as long as they are logged in with their Microsoft account. Featuring Word, Excel, PowerPoint, Outlook, a calendar, contacts, and more, this is a straightforward way for users of Microsoft products to ensure that they never lose access to their documents. It is also a great source of information and data in forensic investigations.
One way in which OneDrive is especially useful to forensic investigators is in instances where a particular device cannot be accessed for one reason or another. For example, perhaps a phone has been seized, but it is locked and the passcode cannot be retrieved; or perhaps a computer has a password that has proven too difficult to bypass. In these instances, if the investigator can gain access to a different...
In an apparent attempt to make user transition between smartphones, tablets, and PCs more fluid, in version 8 and up, Microsoft have renamed their programs applications and have given the desktop a more smartphone-like feel.
Rather than downloading programs from a web browser, users can now shop for apps - many of which are free - that make for a smoother user experience.
Dropbox is a file sharing application that allows users to upload files of almost any type and easily share them with others. All that is required is an email address to sign up. In 2016, Dropbox had 500 million users worldwide, and this number is climbing.
Forensically, file sharing between users can provide a wealth of helpful information. Lets have a look at how to glean data from the Dropbox...
The Windows 10 Mail app is similar to previous apps in terms of user experience, however there is a number of forensic differences. The main one is the way in which emails are stored. They are no longer saved as .eml files; rather, they are now saved as HTML or .txt files.
Another neat feature in the new Mail app is the ability to connect to multiple accounts. Much like Gmail, Mail now comes with the ability to switch between different accounts - and users can now add other email providers such as Gmail and Yahoo to their Microsoft Mail apps.
Several forensic tools will be able to extract data from the Mail app. In this example, we are going to talk about FTK Imager, but the process of extracting...
As the name suggests, Windows 10's Xbox application allows users to play Xbox games on their Windows 10 machines. At first glance, this may not sound like a particularly forensically interesting source of information. However, looking under the hood we can find a wealth of data that can be leveraged in investigations. This section will take you through how to do that.
The information we are looking for can all be found in the Packages directory at the following location:
\Users\Username\AppData\Local\LocalState\ModelManager
You are looking for the Xboxlivegamer.xml file, which contains information that may be relevant to your case. Also, since Xbox is a gaming platform and many people...