Creating and sharing knowledge for telecommunications

Digital Forensic Artifacts of the Cortana Device Search Cache on Windows 10 Desktop

Domingues, P. ; Frade, M. F.

Digital Forensic Artifacts of the Cortana Device Search Cache on Windows 10 Desktop, Proc International Workshop on Digital Forensics / International Conference on Availability, Reliability and Security WSDF-ARES, Salzburg, Austria, Vol. 2, pp. 338 - 344, August, 2016.

Digital Object Identifier: 10.1109/ARES.2016.44

Download Full text PDF ( 184 KBs)


Microsoft Windows 10 Desktop edition has brought some new features and updated other ones that are of special interest to digital forensics analysis. The search box available on the taskbar, next to the Windows start button is one of these novelties. Although the primary usage of this search box is to act as an interface to the intelligent personal digital assistant Cortana, in this paper, we study the digital forensic artifacts of the search box on machines when Cortana is explicitly disabled. Specifically, we locate, characterize and analyze the content and dynamics of the JSON-based files that are periodically generated by the Cortana device search cache system. Forensically important data from these JSON files include the number of times each installed application has been run, the date of the last execution and the content of the custom jump list of the applications. Since these data are collected per user and saved in a resilient text format, they can help in digital forensics, mostly in assisting the validation of other sources of information.