With the semester coming to a close, the Windows 10 team has been hard at work finalizing our research so that we can begin our report. In the past two weeks we have been progressing with our research on Surface forensics by capturing a live image of the device using FTK Imager. We then took the image of the tablet and imported it into FTK for artifact location and analysis.
Once we imported the image into FTK, we began by generating index searches for the artifacts we gathered during datagen to locate the best locations to search for information. One artifact that stood out was the Mail application: the app possessed an ESE database that contained information on contacts and calendar data as well as mail. We believe that this is due to the fact that the data of the three applications is interconnected with each other, meaning that you can access the calendar or view contacts directly through Mail. We have also decided to focus on Cortana and Microsoft Edge as they are two of the newest features that Windows 10 offers that we decided to focus on.After analyzing Cortana, we have been able to find archived voice commands from the user, along with GPS coordinates of where the user was when issuing those commands.
We will be sharing our progress and findings in future blog posts throughout the coming months. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at email@example.com.