Windows RT Evidentiary Artefacts 1.0
-
Upload
brent-muir -
Category
Technology
-
view
1.181 -
download
6
description
Transcript of Windows RT Evidentiary Artefacts 1.0
OS Evidentiary Artefacts
Brent Muir – 2013 http://au.linkedin.com/in/brentmuir
Version 1.0
File Systems / Partitions Registry Hives Email (Mail application) Internet Explorer Unified Communication 3rd Party Applications Picture Password
Supported File Systems: NTFS, Fat32, ExFat
Default Partition structure:
“Windows” – core OS (NTFS)
“Recovery” (NTFS)
“Reserved”
“System” – UEFI (Fat32)
“Recovery Image” (NTFS)
Registry hives are a standard format Can be examined with numerous tools
(e.g.. RegistryBrowser, Registry Viewer, etc.)
Location of important registry hives:
▪ \Users\user_name\NTUSER.DAT
▪ \Windows\System32\config\DEFAULT
▪ \Windows\System32\config\SAM
▪ \Windows\System32\config\SECURITY
▪ \Windows\System32\config\SOFTWARE
▪ \Windows\System32\config\SYSTEM
Emails & contacts are stored in .EML format
Can be analysed by a number of tools
Stored in the following directory:
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps...\LocalState\
No longer stored in Index.dat files
IE history records stored in the following file:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
▪ This is actually an .edb file ▪ Can be interpreted by EseDbViewer or ESEDatabaseView
Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default):
UC settings are stored in the following DB: \Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\livecom
m.edb
Locally cached entries (e.g. Email or Twitter messages) are stored in this directory: \Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\Indexed\
LiveComm\
Facebook Flickr
Google LinkedIn
MySpace Sina Weibo
Twitter Outlook
Messenger Hotmail
Skype Yahoo!
QQ AOL
Yahoo! JAPAN Orange
3rd part applications are stored in the following directory: \Program Files\WindowsApps\
Settings and configuration DBs are located in following directories: \Users\user_name\AppData\Local\Packages\package_name\Lo
calState\ Two DB formats:
▪ SQLite DBs ▪ Jet DBs (.edb)
Registry key of installed applications: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
tVersion\Appx\AppxAllUserStore\Applications\
“Picture Password” is an alternate login method where gestures on top of a picture are used as a password
This registry key details the path to the location
of the “Picture Password” file: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren
tVersion\Authentication\LogonUI\PicturePassword\user_GUID
Path of locally stored Picture Password file:
C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\ReadOnly\PicturePassword\background.png