Scribd
Upload
25 views7 pages

Cortana Forensics

Cortana is a voice-activated personal assistant introduced in Windows 8.1 and later included in Windows 10. It provides personalized assistance through search suggestions, reminders, and other functions by learning user habits over time. Forensically, Cortana databases and folders can contain a user's search history, location data from reminders, and recorded voice commands.

Uploaded by

aakash25mahajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
25 views7 pages

Cortana Forensics

Cortana is a voice-activated personal assistant introduced in Windows 8.1 and later included in Windows 10. It provides personalized assistance through search suggestions, reminders, and other functions by learning user habits over time. Forensically, Cortana databases and folders can contain a user's search history, location data from reminders, and recorded voice commands.

Uploaded by

aakash25mahajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Cortana Forensics

Cortana Forensics :
Cortana is a voice-activated personal assistant.
(similar to Siri developed by Apple Inc. for its iOS).
Cortana is a relatively new feature
first introduced in Windows phone version 8.1;
later, with the release of Windows 10,
it has ported into Windows desktop as well.

Its main task is to provide a personalized experience for Windows 10


users by offering suggestions when conducting searches in addition
to remembering events, sending e-mails on the user’s behalf (when
configured properly), searching the Web, checking weather
forecasts, and many more useful things.
Cortana Forensics

Cortana works through cumulative learning.

Hence, when the user communicates with it more (through the PC


microphone or by typing), it will understand the user’s personal
habits and attitudes more, leading to more accurate results in future
interactions

From a digital forensics perspective, Cortana can provide a wealth of


information about a user’s previous activities on the target machine
in addition to web searches and geolocation data (latitude/longitude
of the triggered location-based reminders).
Cortana Forensics

Bear in mind that despite the important information that can be


retrieved from the Cortana feature,

we cannot always expect to have it enabled on all Windows


machines,

as this feature has a reputation of being a privacy invader for


Windows users and many of them have already deactivated this
feature due to privacy concerns
Cortana Forensics

Cortana keeps some information related to its work on two extensible


storage engine (ESE) databases that can be found at the following
locations:

\Users\\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\
AppData\Indexed D\IndexedDB.edb

\Users\\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\
LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat

Note!

If you cannot find the second database named “CortanaCoreDb.dat,”


this means the Cortana feature is disabled on the examined machine.
Cortana Forensics

The “CortanaCoreDb.dat” holds forensically valuable information


related to user geolocation data in addition to reminders set by a user
and where and when these remainders have triggered.

Please note that Cortana can record extensive private information


about its users; however, it seems that Microsoft has shifted many
user interactions with Cortana onto Microsoft cloud servers. Another
location where some Cortana-related artifacts can be found on the
local machine is

\Users\\AppData\Local\Packages\
Microsoft.Windows.Cortana_xxxx \LocalState\LocalRecorder\
Speech

(see Figure 7-49).


Cortana Forensics
Cortana Forensics

This folder stores voice command (WAV audio files) recordings


issued by a user to Cortana to perform a task.

Please note that not all computer forensic suites support decoding
the Cortana database; always consult the manual or tool features
before buying it.

For instance, EnCase has a script to decode Cortana search terms of


user-specified IndexedDB.edb files.

Note!

ESEDatabaseView from Nirsoft (www.nirsoft.net/utils/ese_


database_view.html) is a tool for displaying data and available tables
inside the ESE database.

You might also like