Security
Reader small image

You're reading from  Windows Forensics Cookbook

Product typeBook
Published inAug 2017
Publisher
ISBN-139781784390495
Edition1st Edition
Tools
Windows OS
Concepts
Forensics
Right arrow
Authors (2):
Scar de Courcier
Scar de Courcier
author image
Scar de Courcier

Scar de Courcier is Senior Editor at digital forensics website Forensic Focus. She also works as an independent consultant on online and offline child protection projects. In her spare time, she enjoys swimming, pretending she lives on the USS Voyager, and hanging out with her cat.
Read more about Scar de Courcier

Oleg Skulkin
Oleg Skulkin
author image
Oleg Skulkin

Oleg Skulkin is the Head of Digital Forensics and Malware Analysis Laboratory at Group-IB. Oleg has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for over a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Oleg has authored and co-authored multiple blog posts, papers, and books on related topics and holds GCFA and GCTI certifications.
Read more about Oleg Skulkin

View More author details
Right arrow

Windows 10 Forensics

In this chapter, we will cover the following recipes:

  • Parsing Windows 10 Notifications
  • Cortana forensics
  • OneDrive forensics
  • Dropbox forensics
  • Windows 10 mail app
  • Windows 10 Xbox app

Introduction

The advent of Windows 10 has caused controversy among users and forensic investigators alike. Many end users have concerns regarding privacy and security, since the privacy settings that are automatically set up on devices with Windows 10 are not at all strong. Others have expressed concerns about the way Windows machines are now forcing users to migrate to Windows 10, even if they are happy with their current versions.

From a forensic perspective, Windows 10 presents a number of new and unique challenges. Most of the programs have been modified to look and feel more like the applications you would see on a smartphone or tablet, and a lot of them behave quite differently from their predecessors. The advent of Cortana has given forensic investigators even more data to work with, and the amount of data has also increased in line with the interconnected nature of many...

Parsing Windows 10 Notifications

Windows 10 features notifications, called Toast notifications, which pop up in the bottom right of the screen. These can be set up for a number of different requirements, but are on by default for news relating to application updates and security.

It is possible for users to set up notifications to remind themselves of tasks, as well as events and email alerts. In this chapter, we will look at the usefulness of Windows 10 notifications in forensic investigations, and how to parse them.

Getting ready

Details of notifications are stored in the following location:

\Users\Username\AppData\Local\Microsoft\Windows\Notifications

The name of the database will differ depending on the build version of...

Cortana forensics

Cortana is Microsoft's voice-activated assistant, but it does much more than just respond to commands. Cortana links in across different devices, giving reminders when required and getting to know the user. It can recognize an individuals voice and handwriting, among other things. For this reason, many Windows users have turned the Cortana function off due to privacy concerns - particularly because, by default on some machines, Cortana is always on, even when the machine is in sleep mode.

Cortana can also respond to specific occurrences - for example, a user can instruct Cortana to remind them to say something to a person next time they call. This is undoubtedly a useful tool for many, and also a mine of forensic information.

Getting ready

...

OneDrive forensics

OneDrive is Microsoft's cloud service, which allows users to save their data on the cloud and access it from any machine, as long as they are logged in with their Microsoft account. Featuring Word, Excel, PowerPoint, Outlook, a calendar, contacts, and more, this is a straightforward way for users of Microsoft products to ensure that they never lose access to their documents. It is also a great source of information and data in forensic investigations.

One way in which OneDrive is especially useful to forensic investigators is in instances where a particular device cannot be accessed for one reason or another. For example, perhaps a phone has been seized, but it is locked and the passcode cannot be retrieved; or perhaps a computer has a password that has proven too difficult to bypass. In these instances, if the investigator can gain access to a different...

Dropbox forensics

In an apparent attempt to make user transition between smartphones, tablets, and PCs more fluid, in version 8 and up, Microsoft have renamed their programs applications and have given the desktop a more smartphone-like feel.

Fig 10.7. The Start menu now includes Tiles, which gives the computer more of a smartphone feel

Rather than downloading programs from a web browser, users can now shop for apps - many of which are free - that make for a smoother user experience.

Dropbox is a file sharing application that allows users to upload files of almost any type and easily share them with others. All that is required is an email address to sign up. In 2016, Dropbox had 500 million users worldwide, and this number is climbing.

Forensically, file sharing between users can provide a wealth of helpful information. Lets have a look at how to glean data from the Dropbox...

Windows 10 mail app

The Windows 10 Mail app is similar to previous apps in terms of user experience, however there is a number of forensic differences. The main one is the way in which emails are stored. They are no longer saved as .eml files; rather, they are now saved as HTML or .txt files.

Another neat feature in the new Mail app is the ability to connect to multiple accounts. Much like Gmail, Mail now comes with the ability to switch between different accounts - and users can now add other email providers such as Gmail and Yahoo to their Microsoft Mail apps.

Getting ready

Several forensic tools will be able to extract data from the Mail app. In this example, we are going to talk about FTK Imager, but the process of extracting...

Windows 10 Xbox App

As the name suggests, Windows 10's Xbox application allows users to play Xbox games on their Windows 10 machines. At first glance, this may not sound like a particularly forensically interesting source of information. However, looking under the hood we can find a wealth of data that can be leveraged in investigations. This section will take you through how to do that.

Getting ready

The information we are looking for can all be found in the Packages directory at the following location:

\Users\Username\AppData\Local\LocalState\ModelManager

You are looking for the Xboxlivegamer.xml file, which contains information that may be relevant to your case. Also, since Xbox is a gaming platform and many people...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 11 of 13
Next Chapter
You have been reading a chapter from
Windows Forensics Cookbook
Published in: Aug 2017Publisher: ISBN-13: 9781784390495
© 2017 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Authors (2)

author image
Scar de Courcier

Scar de Courcier is Senior Editor at digital forensics website Forensic Focus. She also works as an independent consultant on online and offline child protection projects. In her spare time, she enjoys swimming, pretending she lives on the USS Voyager, and hanging out with her cat.
Read more about Scar de Courcier

author image
Oleg Skulkin

Oleg Skulkin is the Head of Digital Forensics and Malware Analysis Laboratory at Group-IB. Oleg has worked in the fields of digital forensics, incident response, and cyber threat intelligence and research for over a decade, fueling his passion for uncovering new techniques used by hidden adversaries. Oleg has authored and co-authored multiple blog posts, papers, and books on related topics and holds GCFA and GCTI certifications.
Read more about Oleg Skulkin

Other recommended products

Related to this chapter

Mobile Forensics Cookbook

Mobile Forensics Cookbook

This book brings with it an array of practical recipes for performing forensic examinations on mobile devices. It will show you how to treat data extraction, recovering, and decoding data on the mobile operating systems such as Android, iOS, Windows Mobile, and BlackBerry OS.

BookDec 2017302 pages
Learn Computer Forensics

Learn Computer Forensics

Computer forensics touches on a lot of skills - from answering legal or investigative questions to preparing for an investigation, evidence acquisition, and more. The goal of this book is to acquaint you with some of the forensic tools and techniques to successfully investigate cybercrimes, and become a proficient computer forensics investigator.

BookApr 2020368 pages
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

Kali Linux is considered as a reliable source for penetration testing and digital forensics. This book will give readers hands-on experience in utilizing Kali Linux tools to implement all the pillars of digital forensics such as acquisition, extraction, analysis, and presentation.

BookApr 2020334 pages
Practical Mobile Forensics

Practical Mobile Forensics

Mobile phone forensics is the science of retrieving data from a mobile phone under forensically sound conditions. This book is an update to Practical Mobile Forensics, Second Edition and it delves into the concepts of mobile forensics and its importance in today’s world.

BookJan 2018402 pages
Learning Android Forensics

Learning Android Forensics

This book will introduce you to Android forensics helping you to set up a forensic environment, handle mobile evidence, analyze how and where common applications store their data. You will also learn to identify malware on a device, and how to analyze it.

BookDec 2018328 pages
Practical Mobile Forensics

Practical Mobile Forensics

Covering up-to-date mobile platforms, this book focuses on teaching you the most recent tools and techniques for investigating mobile devices. Readers will delve into a variety of mobile forensics techniques for iOS 11-13, Android 8-10 devices, and Windows 10.

BookApr 2020400 pages
Digital Forensics and Incident Response

Digital Forensics and Incident Response

The staggeringly high number of security breaches reported in the last several years stresses the importance of an organization's ability to respond to attacks promptly. With this book, you'll learn forensic techniques and incident response fundamentals to investigate such incidents in your organization.

BookJul 2017324 pages
Digital Forensics and Incident Response

Digital Forensics and Incident Response

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is a must for all organizations. This book offers concrete and detailed guidance on how to conduct the full spectrum of incident response and digital forensic activities.

BookJan 2020448 pages
Digital Forensics with Kali Linux

Digital Forensics with Kali Linux

Kali Linux is used mainly for penetration testing and digital forensics. This book will help you explore and unleash the tools available in Kali Linux for effective digital forensics investigations. Using practical examples, you will be able to make the most of forensics process such as investigation, evidence acquisition, and analysis.

BookDec 2017274 pages
Python Digital Forensics Cookbook

Python Digital Forensics Cookbook

Technology plays an increasingly large role in our daily life and shows no signs of stopping. Now, more than ever, it is paramount that an investigator develops programming expertise to deal with increasingly large datasets. By leveraging the Python recipes explored throughout this book, we make the complex simple, quickly extracting relevant information from large datasets. You will explore, develop, and deploy Python code and libraries to provide meaningful results that can be immediately applied to your investigations.

BookSep 2017412 pages

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages