Windows 10 Forensics – Project Introduction

Windows 10

Introduction

By Alex Parsons

In September of 2014, Microsoft announced the next version of Windows, Windows 10.  Unlike Windows 8, Windows 10 looks like it may be a popular release.  It will be returning many aspects of Windows 7 to the desktop and it will also be released to consumers, free.  There are dozens of new features being added including new browsers, new methods of searching, and a notification center. Many of these features will be tied to useful artifacts for forensics investigators, and this project’s goal is to find them.  Windows 10 has the ambitious goal of running across several form factors, and this project will provide forensic research that is applicable across all of them.Windows 10family

Research Questions:

  • What artifact locations have changed in Windows 10?
  • What new features in Windows 10 could lead to more useful forensic artifacts?
  • Where can these new artifacts be found and how can they help a forensic investigation?
  • What artifacts can be found that are synced with other devices? (OneDrive data, Phones)
  • What artifacts can be found from common Windows 10 applications? (Office, Facebook)

How will we do this?

The team will generate data on a Windows 8.1 & Windows 10 VM, as well as an HP Stream 7 tablet running Windows 8.1, and Windows 10. Separate data will also be generated on a Lumia 635 Windows phone running Windows Phone 8.1 and Windows 10.

 

Artifacts to be compared to Windows 8 in this stage of the analysis are the following:

  • Internet History
  • Event Logs
  • Prefetch Files
  • Jump Lists
  • USB Drive Activity
  • Recycle Bin
  • File History

 

New potential artifacts in Windows 10 are the following:

  • Notification Center
  • New Start Menu
  • Frequent Folders
  • Cortana
  • Synced Wi-fi Hotspots
  • Windows 10 Applications (Office, photos, Facebook, etc.)
  • OneDrive data
  • Spartan Browser

Our Goal

Our goal is to analyze artifacts in Windows 10 and compare artifact locations between Windows 8.1 and Windows 10. After the comparison is finished, specific attention will be taken to OneDrive data, Windows Phone data, and the newer Office applications on Windows 10. The hope is that by researching Windows 10, we can provide useful artifact locations for forensic investigators handling Windows 10 devices.

 

 

More Research Projects
CyberRange Team: Creating The Perfect Sandbox Environment
The Internet of Things Team: An Inside Look
CyberTech: Creating a Safer Internet Through Education