In the few weeks since our last blog post, we have added a new team member to assist with our research and analysis. We also recreated the data generated last semester to see if there were any changes in the software between the technical preview and the official release. Once finished, we created an image of the drive which will allow the team to examine the files in a forensically sound environment. A comparison report will be coming out in the coming weeks.
After reviewing the report created last semester, and conducting further research into new features that were released with the official operating system, we began generating the old data for comparison. We want to ensure that the data we provide in the report at the end of the semester is as accurate as possible, which means verifying the locations of the old data in the new OS. After we recreated the data from last semester, we began imaging the Surface 3 using forensic imaging software FTK Imager. FTK Imager is a forensic program that allows the user to capture a drive’s data so it can be examined in a forensic analysis tool such as FTK (Forensic Tool Kit) or EnCase. We found that the easiest way to image the Surface 3 without removing the screen was to create a live image. A live image is a way of capturing the data on the drive while the machine is turned on, which is different from the standard method of removing the drive from the machine and creating the image through a write blocker. With careful handling, the image was created and the hash values were verified.
We will be diving more in depth into the new features offered in Windows 10 such as Cortana and Edge in the next few weeks. Please check back to see our progress as we are eager to inform you of our findings. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at email@example.com.