Windows 10 Forensics: Conclusion

windows10final

Windows 10 Forensics: Conclusion

by Alex Parsons

Results

As the current semester comes to an end, so must the Windows 10 project. In the past five months we’ve made significant progress in analyzing core Windows 10 artifacts which will be documented in detail in incoming Windows LCDI 10 report. Before we release the report, we will announce the preliminary results from the project.

The results of the project show that over half of the core artifacts that have changed from Windows 8.1 to Windows 10. The team also discovered artifacts that have never been analyzed before, and it is hoped that this will prompt community to write, and rewrite tools to analyze these artifacts. Unfortunately there are still some remaining artifacts to be analyzed, and we recommend that research on Windows 10 should definitely be continued.

The preliminary results are the following:

The following artifacts have changed since Windows 8.1

  • The Recycle bin
  • Thumbnails,
  • OneDrive
  • Prefetch files

The following artifacts are new artifacts that are features added in Windows 10 or have never been analyzed before:

  • Spartan Browser
  • Facebook App

The following artifacts have remained unchanged

  • Event logs
  • Internet Explorer
  • USB Activity
  • LNK Files

The following data is also detailed in the table below:

1

 

Further Work

Further work needs to be done on the following artifacts:

  • Notification center
  • Modern Office
  • Synced Data
  • Cortana Search history
  • Modern Mail App

Conclusion

In Conclusion, core artifacts in Windows have been effectively analyzed but the project should be re-visited when Microsoft releases Windows 10 this summer. We encourage toolmakers to take note of these changes in artifacts, and hope that this research will assist investigators find artifacts in Windows 10.

Acknowledgements:

Yogesh Khatri has been a huge help to this project, as well as Kyle Tellers’ Windows 8.1 forensic analysis. The LCDI has created an excellent work environment for such a project, and the team would like to thank everyone on the team who was involved.