Portal de Periódicos da CAPES

A forensic insight into Windows 10 Cortana search

2017; Elsevier BV; Volume: 66; Linguagem: Inglês

10.1016/j.cose.2017.01.007

1872-6208

Bhupendra Singh, Upasna Singh,

Digital Media Forensic Detection

Cortana, one of the new features introduced by Microsoft in Windows 10 desktop operating systems, is a voice activated personal digital assistant that can be used for searching stuff on device or web, setting up reminders, tracking users' upcoming flights, getting news tailored to users' interests, sending text and emails, and more. Being the platform relatively new, the forensic examination of Cortana has been largely unexplored in the literature. This paper seeks to determine the data remnants of Cortana usage in a Windows 10 personal computer (PC). The research contributes in-depth understanding of the location of evidentiary artifacts on hard disk and the type of information recorded in these artifacts as a result of user activities on Cortana. For decoding and exporting data from one of the databases created by Cortana application, four custom python scripts have been developed. Additionally, as a part of this paper, a GUI tool called CortanaDigger is developed for extracting and listing web search strings, as well as timestamp of search made by a user on Cortana box. Several experiments are conducted to track reminders (based on time, place, and person) and detect anti-forensic attempts like evidence modification and evidence destruction carried out on Cortana artifacts. Finally, forensic usefulness of Cortana artifacts is demonstrated in terms of a Cortana web search timeline constructed over a period of time.