OS Evidentiary Artefacts

Brent Muir – 2013 http://au.linkedin.com/in/brentmuir

Version 1.0

File Systems / Partitions Registry Hives Email (Mail application) Internet Explorer Unified Communication 3rd Party Applications Picture Password

Supported File Systems: NTFS, Fat32, ExFat

Default Partition structure:

“Windows” – core OS (NTFS)

“Recovery” (NTFS)

“Reserved”

“System” – UEFI (Fat32)

“Recovery Image” (NTFS)

Registry hives are a standard format Can be examined with numerous tools

(e.g.. RegistryBrowser, Registry Viewer, etc.)

Location of important registry hives:

▪ \Users\user_name\NTUSER.DAT

▪ \Windows\System32\config\DEFAULT

▪ \Windows\System32\config\SAM

▪ \Windows\System32\config\SECURITY

▪ \Windows\System32\config\SOFTWARE

▪ \Windows\System32\config\SYSTEM

Emails & contacts are stored in .EML format

Can be analysed by a number of tools

Stored in the following directory:

\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps...\LocalState\

No longer stored in Index.dat files

IE history records stored in the following file:

\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

▪ This is actually an .edb file ▪ Can be interpreted by EseDbViewer or ESEDatabaseView

Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default):

UC settings are stored in the following DB: \Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\livecom

m.edb

Locally cached entries (e.g. Email or Twitter messages) are stored in this directory: \Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\Indexed\

LiveComm\

Facebook Flickr

Google LinkedIn

MySpace Sina Weibo

Twitter Outlook

Messenger Hotmail

Skype Yahoo!

QQ AOL

Yahoo! JAPAN Orange

3rd part applications are stored in the following directory: \Program Files\WindowsApps\

Settings and configuration DBs are located in following directories: \Users\user_name\AppData\Local\Packages\package_name\Lo

calState\ Two DB formats:

▪ SQLite DBs ▪ Jet DBs (.edb)

Registry key of installed applications: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren

tVersion\Appx\AppxAllUserStore\Applications\

“Picture Password” is an alternate login method where gestures on top of a picture are used as a password

This registry key details the path to the location

of the “Picture Password” file: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curren

tVersion\Authentication\LogonUI\PicturePassword\user_GUID

Path of locally stored Picture Password file:

C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\ReadOnly\PicturePassword\background.png