Cortana Blog

Investigating Cortana

28/01/2022 Friday

Cortana is a voice-activated digital personal assistant introduced by Microsoft as part of Windows 10 desktop operating systems. Cortana can be used to perform various tasks such as searching the local files or the web, answering simple queries, sending emails and texts, setting different types of reminders based on time, place, or person, and more.

Digital Forensics Value of Cortana Artifacts

To be able to assess the user effectively, Cortana records and collects information about the user and links it across different devices. This information includes user's device location and location history, contacts, calendar, typing history, and more. This type of information is of forensic value, as it can help examiners in reconstructing previous events and provides them with many substantial information related to user's activities.

Location of Cortana Artifacts

Cortana artifacts are recorded into CortanaCoreDb.dat database which is located at:

%Userproﬁle%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat

Structure of Cortana Artifacts

User's interactions with Cortana are stored in CortanaCoreDb.dat database in an Extensible Storage Engine (ESE) format. This database file contains multiple tables recoding all the user's activities.

Analyzing Cortana Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to extract Cortana artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Cortana artifacts:

ArtiFast can analyze Cortana Place, Time, and Person Reminders. For demonstration purposes, all three artifacts have been chosen but you have the option to select one or more artifacts.

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Cortana artifacts in ArtiFast software.

Cortana Person Reminders Artifact

Cortana Person Reminders are person-based reminders. To be able to set such a reminder, the person must be part of the user’s contacts list. These reminders are triggered whenever the user interacts with that contact. The details you can view include:

Title - Title of the reminder.
Status - Status of the reminder.
Creation Date/Time - Date/Time when the reminder was created.
Last Update Date/Time - Date/Time when the reminder was last updated.
Completion Date/Time - Date/Time when the reminder was completed.
Contact Name - Name of the contact the reminder was set for.

Cortana Place Reminders Artifact

Cortana Place Reminders are location-based reminders that are triggered whenever the user arrives or leaves a particular location. The details you can view include:

Title - Title of the reminder.
Status - Status of the reminder.
Creation Date/Time - Date/Time when the reminder was created.
Last Update Date/Time - Date/Time when the reminder was last updated.
Completion Date/Time - Date/Time when the reminder was completed.
Latitude - Latitude value for the place.
Longitude - Longitude value for the place.
Place Name - Name of the place the reminder was set for.

Cortana Time Reminders Artifact

Cortana Time Reminders are time-based reminders that are triggered on a specific time. The details you can view include:

Title - Title of the reminder.
Status - Status of the reminder.
Creation Date/Time - Date/Time when the reminder was created.
Last Update Date/Time - Date/Time when the reminder was last updated.
Completion Date/Time - Date/Time when the reminder was completed.
Reminder Set Date/Time - Date/Time when the reminder was set.
Last Trigger Date/Time - Date/Time when the reminder was last triggered.