As a follow-up to my previous research on Windows 10 Forensic Artefacts

I have decided to use the next few blogs entries to expand upon some of the new artefacts that potentially contain relevant evidentiary value to a forensic investigation. Up first is Cortana and the Notification Center (sic).

Cortana

For those of you who have not used Cortana, it is a digital personal assistant (think Siri) that expands upon the unified search platform introduced in Windows 8. You can user Cortana for a number of tasks within the OS; setting a reminder, searching the local files and the web, answering simple queries.

One of the “smarter” uses of Cortana involves sending emails that are dictated to the service. Cortana integrates with the contacts associated with the Windows Live account that you use to log in to your OS – if you have also synched this account with other social media accounts (e.g. LinkedIn, Twitter, Facebook, etc.) these contacts will be available too. A user can interact with Cortana in 2 ways; typing into Cortana’s search box, or dictating via a microphone (if available).

Advertisement

There are a number of artefacts associated with Cortana; 2 backend Extensible Storage Engine (ESE) databases, and other configuration files. The 2 Cortana Databases are:

  • \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\AppData\Indexed DB\IndexedDB.edb
  • \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat

The IndexedDB.edb contains the following tables:

  • DatabaseAndObjectStoreCatalog
  • HeaderTable
  • IndexCatalog
  • MSysDefrag
  • MSysLocales
  • MSysObjects
  • MSysObjectsShadow
  • MSysObjids
  • T-n
  • T-n

Using Joachim Metz esedbexport tool this table data can be parsed into TSV format.

These tables can then be imported into Excel and easily read/searched. This table contains information relating to the Cortana Index.

Advertisement

The other database, CortanaCoreDb.dat, contains table data that relates to a users’ interaction with Cortana; it contains the following tables:

  • Attachments
  • Contact
  • ContactPermissions
  • ContactTriggers
  • Diagnostic
  • Geofences
  • LocationTriggers
  • Metadata
  • MSysLocales
  • MSysObjects
  • MSysObjectsShadow
  • MSysObjids
  • Notification
  • Reminders
  • RulesDescriptions
  • RulesInstances
  • RulesInstancesDisplayParameters
  • RulesInstancesParameters
  • RulesTemplates
  • RulesTemplatesParameters
  • RulesTemplatesParameterTypes
  • Signals
  • TimeTriggers
  • Triggers

Again esedbexport is able to parse these tables into TSV format. The time values in these tables are in Google Chrome Value format in the timezone of the local machine; the values can be decoded via DCode (but you will be required to omit the last digit).

Unlike the previous database, CortanaCoreDB.dat is a goldmine for evidentiary artefacts, some of the more interesting tables are:

  • Geofences

This table contains Latitude/Longitude for where location basedreminders are triggered.

IDTimeStateLatitudeLongitudeAccuracySpeedHeadingPositionSource
892105716255e840a581176ac62494ec1308252716972310002-33.8683151.20821014991.#QNAN01.#QNAN03
929748b6ed5b724eb81e34153b26aa581308252938994520000000000
  • LocationTriggers

This table contains Latitude/Longitude as well as the actual Name of place results for reminders.

IDTimeStateLatitudeLongitudeAccuracySpeedHeadingPositionSourceRecurrenceUnitName
892105716255e840a581176ac62494ec1308252716972310002-33.87151.20821014991.#QNAN01.#QNAN031Kew East, VIC
929748b6ed5b724eb81e34153b26aa5813082529389945200000000001Kew East, VIC

Youmay notice that the ID values from the Geofencesand LocationTriggers tables match up.

  • Reminders

This table contains actual text inputed by the user, as well as Creation, Access, and Completion times.

IdStatusSyncStatusCreationTimeLastUpdateTimeLastAccessTimeCompletionTimeTitle
dfc214c0a38a5545b8781c1719cf11f310130825269689572000130825269689572000130825269689572000-1pick up milk
dd0216ec6006a242bc29477177e48a3920130797419302410000130799481140340000130799481140340000130799481046810000Get milk
  • Triggers

This table contains the ReminderID value matches with the ID field inthe Reminders table (above).

IdReminderIdKindCreationTime
79dc81f549020e4898f6b92089f692cfdd0216ec6006a242bc29477177e48a391130825269353322000
182fb7af6e9bc9418826c6d7dc1839b1dfc214c0a38a5545b8781c1719cf11f31130825269688478000

What is interesting, especially for a forensic investigator, is that Cortana will keep track of when Reminders are completed, including where and when a reminder was finalised. This is particularly invasive, but can provide a wealth of information useful for pinning someone to a time and place.

Cortana’s ability to contact a user’s address book comes from the following synched files:

  • \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg
  • \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Contacts_xxxxx.cfg.txt
  • \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Cortana\Upload\Contacts\contacts.json

Cortana’s “homepage”, that displays pertinent information (as decided by a user’s “Notebook”, or Cortana herself) is stored in the following file:

  • \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\cache\proactive\proactive-cache.bin

This “bin” file is actually a HTML file and can be rendered in numerous tools (including standard web browsers). This file contains the cache of a user’s Cortana “homepage”, which may include; weather (and location information), upcoming calendar events and news headlines (see image below).

Cortana also keeps tabs on recent locations you have searched for, as well as favourite locations (including latitude and longitude, dates, etc.), these are stored in the following file:

  • \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\Graph\user_id\Me\00000000.ttl

Again this type of information is useful for showing what a user did or didn’t know about a location. This data is synched from the user’s Microsoft account, and what I mean by this is that, for the above example, this entry was never searched on Cortana on the Windows 10 desktop – this came from a search I conducted on my Windows phone – this just goes to show how integrated all of the Microsoft components really are.

Notification Center (sic)

One of the other new features of Windows 10 is the Notification Center. This area of the OS provides real-time notifications of events when received; emails, tweets, calendar reminders, etc – these are known as “Toast Notifications” (because they “pop-up” like a piece of bread in a toaster). Notifications that are received by a user are stored in the following database file:

  • \Users\user_name\AppData\Local\Microsoft\Windows\Notifications\appdb.dat

Individual Toast Notifications are stored in embedded XML within this database file (see below).

The format of the Appdb.dat database is currently unknown and not documented - more testing/research is required. The file signature of the database is HEX 44 4E 50 57 03 00 00 00 3C 3F 7D AC E2 C8 D0 01 (first 16 bytes - see below).

The Notification Center stores its registry values in the following path

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications

This registry path holds one of the more useful artefacts in Windows 10. How do you know when a Notification has been seen by a user? Although Toast Notifications are displayed on the screen as they arrive, a user can also open the Notification Center from the Task Bar. When a user clicks on the Notification Center icon the Center is displayed - this is really important in forensics, to unequivocally explain a users behaviour (this button is highlighted orange in the below image).

The last time the Notification Center is displayed is stored in the following Registry key:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotification\TimestampWhenSeen

–

In this above example the value is 36 BD 52 D4 E6 C8 D0 01

This is a Filetime value (adjusted for the local timezone) that can be decoded as depicted below.

These are just some of the many Windows 10 artefacts that can assist an investigation.


RESOURCES:

  1. esedbtools - https://github.com/libyal/libesed…
  2. DCode - http://www.digital-detective.net/digital-forensic-software/free-tools/

Any questions get in touch.

Don’t forget to connect on LinkedIn & Twitter.