4/7/16

1

Computer Forensics – Mobile Forensics – Cyber Security – Lit Support Training

Module Objectives

• User Interface (UI)• Browsing History• Page Recovery• Local Searches• Local Browsing History – File Explorer• Internet Explorer 11 (IE11)

4/7/16

2

Microsoft Edge – Navigation

Tabs Address Bar Hub

Edge and Cortana Artifacts• There are four main

locations for browsing artifacts in Windows 10– Edge Application folder:

• C:\Users\<username\AppData\Local\Packages\Microsoft.MicrosoftEdge_<id#>

– Cortana Application folder:• C:\Users\<username\AppData\Local\Pack

ages\Microsoft.Windows.Cortana_<id#>

– Registry – NTUSER.DAT• C:\Users\<username>

– Registry – UsrClass.dat • C:\Users\<username>\AppData\Local\Mic

rosoft\Windows

C:\Users\<username>\AppData\Local\Packages

4/7/16

3

Edge – Hub

Reading View

Favorites

Reading List

Write on the Web

Share

More Actions

MS Edge - Favorites

4/7/16

4

Edge–Favorites (File System)

C:\Users\<username>\AppData\Local\Packages\<msedge>\AC\MicrosoftEdge\User\Default\Favorites

Edge – Favorites (Registry)

UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\<foldername> / Order

``````

4/7/16

5

Edge – Favorites Hub

History Downloads

Edge – History

History

• The History drop down menu displays history by time / day / week

• Objects can be removed from view by clicking the X button to the right– This removes the history from the

drop down, but it remains in the file system artifacts; TIFs and WebCacheV01.dat

4/7/16

6

Edge – Deleted History

Edge – Browser Recovery

Tab 1 - SyntricateTab 2 – ArcLight CinemasTab 3 – Seaturtle.org

4/7/16

7

Tab 1 - SyntricateTab 2 – ArcLight CinemasTab 3 – Seaturtle.org

• Recovery tracks Edge open tabs

• Each tab has a .dat file

• One overall RecoveryStore

Edge – Browser Recovery

Tab 3 – Seaturtle.org Offset 620

• Each tab.dat file has a date/time stamp when opened at offset 620

• .dat files retained until next launch of Edge

Edge – Browser Recovery

4/7/16

8

Edge – Downloads

Downloads

• The Downloads drop down menu displays the latest downloads in descending order with the last one on top

• Clicking on a download will launch whatever that file does– i.e.: Clicking on CuteWriter

launched the installer for it

Edge Address Box

Edge – Download Artifacts

WebCacheV01.dat

4/7/16

9

Edge – Download Artifacts

• Pages are stored in the Edge AC #!001 folder under the MicrosoftEdge\Cache folder

WebCacheV01.dat references

Site

Sent To

Edge – Download Artifacts

4/7/16

10

• A compilation of the WebCacheV01.dat entries can be made with a third party tool to see the progression of the download

• Nirsoft was used here to combine the entries of the different containers into a spreadsheet and a sort on times

• It shows the start of the process with an Edge browser search for the database viewer leading to the completed download

Query Navigation Download

Edge – Download Artifacts

WebCacheV01.dat references

Edge – Download Artifacts

File Explorer

• The WebCacheV01.dat also stores a table called iedownload

• Once located, shows a record of each download by GUID

• I was unable to match the GUIDs to their associated file

• I was able to match them by date and time stamp

4/7/16

11

MS Edge – Reading list

• Allows users to save web pages for later reading

• Can be marked on or annotated with a “note”

• Can be saved and shared – Mail– OneNote

• Can arrange in Categories

MS Edge – Write to the Web

• You can:– Annotate

with a note*– Mark up– Highlight text– Save– Share

• Mail• OneNote

* It appears notes may be broken. You can create it but not see it later

Actual Page

Stored Page

4/7/16

12

Edge – Reading List Artifacts

• There are three main locations where Reading List artifacts are stored:– WebNotes folder– Spartan.edb– ReadingList folder

C:\Users\<username>\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge and \#!001

Edge – Spartan.edb

• Reading List entries are stored in the spartan.edb– Description above– Pointer to assigned

thumbnail for the page– Description and URL below

Spartan.edb

4/7/16

13

Edge – Spartan.edb

• The date and time for archiving the reading list is stored at the beginning of the entry– 64-Bit Windows date and time stamp– One byte back from beginning description

Spartan.edb

Edge – Reading List• Besides the

reference to the Reading List entry, the Spartan.edb file also contains a pointer to the thumbnail in the ReadingList folder

ReadingList

4/7/16

14

Reading List Spartan.edb

• Spartan.edb can be parsed out with 3rd-party tools like Nirsoft• Or, in FTK

– The FTK version is not subject to varying tables and columns– But, the FTK version does parse out the Added and Last Accessed

dates and times

Reading List Spartan.edb

4/7/16

15

Reading List Spartan.edb

Points to Reading List path

Reading List Spartan.edb

Points to WebNotes path

4/7/16

16

WebNotes #!001

Edge – Shared Pages

Share will be covered in more detail in Module 5,

OneNote for Registry entries

NTUSER.DAT\SOFTWARE\Microsoft\Windows\Current

Version\Explorer\SharingMFU

4/7/16

17

Edge – Searches

Edge – Searches WebCache

FTK View

4/7/16

18

Edge Searches – WebCache

• Two searches were made: – “birdocide search from edge” typed in but not entered– “birdocide stuff images” typed in and entered

• Both registered to the WebCacheV01.dat in type ahead format

Edge – Searches – Recovery

4/7/16

19

Edge – Registry Artifacts

• Microsoft Edge uses a different registry file to store information rather than the NTUSER.dat file normally used

• UsrClass.dat is used to archive user profile registry data

C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat

Edge – General App Info

• Windows App info is stored in Local Settings

• Each app has an identifier similar to Windows 8

• Edge and Cortana add an important new dimension to this storage location

AppContainer Subkey

4/7/16

20

Edge – History Days to Keep

• DaysToKeep URL History

• It is defaulted to 90 days in Edge

• During testing no UI for setting this lower

• Edge still permits clearing history

In Private Browsing is still supported

UsrClass.dat\SOFTWARE\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb

3d8bbwe\MicrosoftEdge\InternetSettings\Url History / DaysToKeep

Edge – InPrivate Browsing

• IPB is accessed thru the Settings icon in the Hub

• All of the Edge files / settings function as if no IPB is used

www.rajaampat-divelodge.com

4/7/16

21

Edge – InPrivate Browsing

• Upon shutting down the session, the file system artifacts are deleted (but potentially recoverable)

• WebCache is not completely deleted

Edge – IPB After Reboot

WebCacheV01.dat

Recovery

4/7/16

22

Edge – IPB Recovery Folder

Note the reference to:about:inprivate

Edge – TypedURLs

• Microsoft Edge maintains its own TypedURLs • Stored in the UsrClass.dat

4/7/16

23

Edge – TypedURLs Hyperlink

Edge TypedURLs IE TypedURLs

Edge – TypedURLs

• Microsoft Edge maintains its own TypedURLs keyset

TypedURLs TypedURLsTime TypedURLsVisitCount

4/7/16

24

Edge – App Install Time

• Microsoft Edge maintains its own TypedURLs keyset

• Stored in the UsrClass.dat

UsrClass.dat\LocalSettings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.Microsoftedge_8wekyb3d8bbwe\Microsoft.MicrosoftEdge_20.10240.16384.0_neutral__8weky

b3d8bbwe / InstallTime

• App install dates and times stored - Families subkey• Stored in the UsrClass.dat

AppModel Subkey

Edge – App Information

4/7/16

25

Internet Explorer in Win10

• Uses WebCacheV01.dat to track • File System artifacts have changed• Traditional Registry entries intact

Internet Explorer in Win10• TIF objects

and pages are under INetCache folder

C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache

4/7/16

26

IE WebCacheV01 Tracking

Query: loreto mexico liveaboard diving

Clicked on the aquacatcruises link

Internet Explorer Registry

Typed URLs

TypedURLsTime

IE History

Main Key

• No major changes to the registry functions for IE

4/7/16

27

Computer Forensics – Mobile Forensics – Cyber Security – Lit Support Training

Cortana• Cortana is Microsoft’s answer

to Apple’s Siri• Cortana is a voice / type-in

interface added to Win10• Cortana works together with

MS Edge / Project Spartan browser

• Cortana is identified by the “Ask me anything” text box at the Start menu

• Click on “Ask me anything” to bring up the Cortana interface

4/7/16

28

Anatomy of a Cortana Search

• Cortana searches made from the “Ask me anything” box

Search Term Entered:

Toucan Sam

Cortana Searches WebCache

• WebCacheV01.dat hits shown using Nirsoft• Note type down nature of the search letter by letter

4/7/16

29

Cortana Searches WebCache

• WebCacheV01.dat hit for toucan sam• Entry points to INetCache container directory• Entry points to .json file where data is stored in Cortana

Cortana Searches .JSON Files

• Cortana searches that make it to the .json files are stored in four folders in the INetCache folder

• Each references searches made at that specific time. • Toucan Sam search made at 10:18:42• Contains actual searches and suggested hits

4/7/16

30

Cortana Searches .JSON Files

• Cortana searches that make it to the .json files are stored at:

C:\Users\<username>\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\INetCache\<folder>\Suggestions<#>.json

SuggestionsH55LZSF8.json

Cortana Searches .JSON Files

Query

Suggestions

• .json file parsing in FTK

• The query comes first

• Queries are predicated with a “url” designation

• Suggestions come below the Confidence Score

4/7/16

31

Cortana Searches Link Files

• Cortana voice searches may also be stored as a .lnk file• Not all searches are stored here• Uses a %20 as space between words• With voice searches, Cortana stores what she thinks you said• Note the Unix Numeric Value date and time stamp in nameLink Files: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent

Cortana Searches Jump Lists

• Cortana may also store search hits in the Jump Lists• ID#: 9d1f905ce5044aee.automaticDestinations-ms

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

4/7/16

32

Cortana Searches Jump Lists

64-bit Windows Date/Time

Unix Numeric Date/Time

Cortana Searches – DestList

• The DestList may have search results as well• It will also have the Windows and Unix date and time stamps

4/7/16

33

Cortana Searches – Voice

Run a Utility

Look for Files

Ask a Question

Cortana Searches – NTUSER

• Searches may also be archived in the NTUSER.DAT• In the FileExts subkey under .com extensions• The date and time last written is typically the date and

time the search was conducted

4/7/16

34

Cortana Searches .com Links

• Spoken Search– “How big is a dawg” (translated by Cortana from “dog”)

• Typed Search– “Whitetips photo”

Cortana Searches RecentDocs

• Cortana voice searches may also be stored in RecentDocs• Uses a %20 as space between words• Cortana stores here what she thought you said• Not all spoken searches end up here• Note the Unix Numeric Date and Time stamp in the key name

4/7/16

35

Cortana Searches RecentDocs

• Cortana

Searches – Speech Render

• Speech_render[#].htm– Yet another way to find speech searches in Cortana

C:\Users\<username>\AppData\Local\Packages\<cortana>\AC\INetCache\<id#>