Every version of Microsoft Windows brings along improvements in speed, performance, and visuals. Additional “under the hood” elements continue to be introduced that assist in digital forensic investigations. With Windows being the most widely used computer operating system in the world, it is important to understand the different capabilities in recovering and analyzing important data that may prove vital to your case during litigation.
What’s New?
Sign-In Options
- An important issue to address before performing a review of a Windows 10 system is the availability of the data. Is the device secured by a password? Is the password known? In Windows 10, new sign-in options were introduced to assist in securing the machine. With supported devices, users now have the option to enable sign-in options such as face authentication, fingerprint recognition, pin codes, security keys, or picture passwords. These options can be enabled from within the system settings for the Windows machine. It is important to note that none of these options encrypt the hard drive, so even without a known password, a forensic image is still able to be produced.
Synched Data
- Windows 10 now allows users to link their mobile devices to their computer. This feature allows the user to make and receive calls and texts, check notifications, and get instant access to the phone’s photos and apps. Additionally, files such as Word, Excel, and PowerPoint documents sync simultaneously between devices. This feature can be helpful when hoping to analyze files that have originated on another device but have now synched over, making data of interest available on multiple devices.
Windows Cortana
- Previously available only on Windows Phones, the virtual assistant Cortana is now available on Windows 10 computer systems. Cortana can be used in a variety of ways, including setting up reminders, searching the web, sending emails, and more. Cortana stores the information sent and received in databases within the Windows operating system. By performing a forensic investigation of the computer, it is possible to uncover past Cortana activity.
Valuable Upgraded Artifacts in Windows 10
While the following artifacts were not introduced with the Windows 10 release, they have undergone improvements that increase their value when performing digital forensic investigations on Windows machines.
Windows Registry
- The registry can be described as the DNA of the Windows operating system, as it holds configuration settings and important records that allow the computer to function properly. In the past years, and with the introduction of Windows 10, the registry has been improved to include valuable data that can assist in investigations. Generally, you can expect the Windows registry to hold data such as time zone information, files accessed, programs run, web browsing activity, connected USB devices, and possibly passwords. In addition, new programs incorporated into Windows 10 interface rely on the registry to hold valuable data.
Windows Event Logs – “Timeline”
- For years, Windows has relied upon event logs to keep track of the various record changes a computer system experiences. Event Log improvements to Windows systems keep track of user logins, application installations, security management, system setup operations, and any problems and errors. These logs can be helpful when putting together a timeline of events that occurred on a computer system. New in Windows 10, The Windows Activity Timeline tracks all sorts of user activity, including what applications a user has executed, when the app was started and closed, timestamps when the user was actively engage with the app, and files accessed, in addition to text and files the user copied and pasted.
Between the new and upgraded features, Windows 10 tracks more valuable information to an investigation than any prior edition of the operating system. Being aware of these new features and what may be recorded by the system is a crucial part in understanding how digital forensics may benefit your client and case.
Brandon Barnes is a Digital Forensics Examiner at Sensei Enterprises, Inc. and specializes in electronic evidence analysis, data recovery, and forensic reporting. Brandon is an EnCase Certified Examiner (EnCE). He originates from Pennsylvania, where he received his Bachelors of Science in Digital Forensics at Bloomsburg University.
Michael Maschke is the Chief Executive Officer at Sensei Enterprises, Inc. Mr. Maschke holds a degree in Telecommunications from James Madison University. Mr. Maschke is an EnCase Certified Examiner (EnCE), a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker (CEH), an AccessData Certified Examiner (ACE), and a Certified Information Systems Security Professional (CISSP).
He is an associate member of the American Bar Association and has spoken at the American Bar Association’s TECHSHOW conference on the subject of cybersecurity. He is currently an active member of the ABA’s Law Practice Division: Technology Core Group and is on the Fairfax Law Foundation Board of Directors. Mr. Maschke is a 2019 Fastcase 50 award recipient.
He is also a co-author of Information Security for Lawyers and Law Firms, a book published by the ABA in 2006 and The 2008-2020 Solo and Small Firm Legal Technology Guides (American Bar Association, 2008 – 2020).
He is an associate member of the American Bar Association and has spoken at the American Bar Association’s TECHSHOW conference on the subject of cybersecurity. He is currently an active member of the ABA’s Law Practice Division: Technology Core Group and is on the Fairfax Law Foundation Board of Directors. Mr. Maschke is a 2019 Fastcase 50 award recipient.
He is also a co-author of Information Security for Lawyers and Law Firms, a book published by the ABA in 2006 and The 2008-2020 Solo and Small Firm Legal Technology Guides (American Bar Association, 2008 – 2020).