Intro

In the weeks following our last blog post on Windows 10 forensics, we have verified that the findings from the previous semester’s project are indeed in the same locations in the Official Windows 10 release. We have since generated a variety of data focusing on the Cortana, Edge, maps, mail, and phone companion applications. We have also generated data on a Fitbit and utilized a Windows Nokia phone to see how the data is stored on these devices.   We are now entering the imaging phase of our project.

Analysis of windows 10 forensics

To accompany our generated data, we have maintained a well written report of everything that has been done so far in order to verify our findings in FTK. This will also allow someone not on the project to replicate our process if further work is needed.

We have been fortunate enough to encounter very few problems so far. When loading the regenerated data from last semester into FTK, the Surface 3 encrypts its data by default, meaning that a passphrase located on the machine is used to transfer data to another machine, and we were having some difficulties working around this. We decided to go to the bit locker settings in the control panel and retrieve the passphrase in order to load the data.

By bringing the Fitbit and Windows phone into the project, we hope to not only increase our generated data, but to utilize features that Windows 10 offers that require additional devices. The Windows phone was used to transfer files between devices using OneDrive, and with the Fitbit growing in popularity and receiving an application, we felt it would be worth our time to examine it forensically.

Conclusion

We will be sharing our progress and findings on Windows 10 forensics in future blog posts throughout the coming months. If you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or via email at lcdi@champlain.edu.