project recall

Project Recall: Windows 8 and 10 Forensics – Spring 2015

The Project Recall series will revisit successful and productive projects in the LCDI’s past.

Windows 8 and 10

The mission of this project is to discover differences in the artifact locations of Windows 8 and Windows 10. It will also be within the scope of this project to find and discover new artifacts that are linked to new features added to Windows 10.

Background:

At the time of writing, no prior research had been done on Windows 10 forensics. This, in addition to the lack of tools capable of performing acquisitions on Windows 10 devices, makes this project important.

Although no resources for Windows 10 exist currently, there are many resources that detail Windows 8.1 artifacts, which will be used for a comparison. Kyle Tellers, an LCDI employee, has also written a report on Windows 8.1 forensics, which will be used as a reference in this report.

Purpose and Scope:

The results of this research will be useful for forensics investigators encountering Windows 10 computers. These computers are expected to enter the consumer market in either the Summer or Fall of 2015.

Artifacts to be compared to Windows 8 in this stage of analysis are the following:

  • Event Logs
  • Internet Explorer
  • USB Activity
  • LNK Files
  • Recycle Bin
  • Thumbnails
  • OneDrive
  • Prefetch Files

New potential artifacts in Windows 10 are the following:

1)  Notification Center

2)  New Start Menu

3)  Frequent Folders

4)  Cortana

5)  Synced Wi-fi Hotspots

6)  Windows 10 Applications (Mail, photos, Facebook, etc.)

7)  OneDrive data

Research Questions:

1)  What artifact locations have changed in Windows 10?

2)  What new features in Windows 10 could lead to more useful forensic artifacts?

3)  Where can these new artifacts be found and how can they help a forensic investigation?

4)  What artifacts can be found that are synced with other devices (OneDrive data)?

5)  What artifacts can be found from common Windows 10 applications?

Read about the methodology, analysis, and results in the full project report found here: Windows 10 Forensics