Investigating Cortana
28/01/2022 Friday
Cortana is a voice-activated digital personal assistant introduced by Microsoft as part of Windows 10 desktop operating systems. Cortana can be used to perform various tasks such as searching the local files or the web, answering simple queries, sending emails and texts, setting different types of reminders based on time, place, or person, and more.
Digital Forensics Value of Cortana Artifacts
To be able to assess the user effectively, Cortana records and collects information about the user and links it across different devices. This information includes user's device location and location history, contacts, calendar, typing history, and more. This type of information is of forensic value, as it can help examiners in reconstructing previous events and provides them with many substantial information related to user's activities.
Location of Cortana Artifacts
Cortana artifacts are recorded into CortanaCoreDb.dat database which is located at:
%Userprofile%\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat
Structure of Cortana Artifacts
User's interactions with Cortana are stored in CortanaCoreDb.dat database in an Extensible Storage Engine (ESE) format. This database file contains multiple tables recoding all the user's activities.
Analyzing Cortana Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to extract Cortana artifacts from Windows machines and
what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifacts Selection
phase, you can select Cortana artifacts:
ArtiFast can analyze Cortana Place, Time, and Person Reminders. For demonstration purposes, all three
artifacts have been chosen but you have the option to select one or more artifacts.
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Cortana artifacts in ArtiFast software.
Cortana Person Reminders Artifact
Cortana Person Reminders are person-based
reminders. To be able to set such a reminder, the person must be part of the user’s contacts list. These
reminders are triggered whenever the user interacts with that contact. The details you can view include:
- Title - Title of the reminder.
- Status - Status of the reminder.
- Creation Date/Time - Date/Time when the reminder was created.
- Last Update Date/Time - Date/Time when the reminder was last updated.
- Completion Date/Time - Date/Time when the reminder was completed.
- Contact Name - Name of the contact the reminder was set for.
Cortana Place Reminders Artifact
Cortana Place Reminders are location-based
reminders that are triggered whenever the user arrives or leaves a particular location. The details you can
view include:
- Title - Title of the reminder.
- Status - Status of the reminder.
- Creation Date/Time - Date/Time when the reminder was created.
- Last Update Date/Time - Date/Time when the reminder was last updated.
- Completion Date/Time - Date/Time when the reminder was completed.
- Latitude - Latitude value for the place.
- Longitude - Longitude value for the place.
- Place Name - Name of the place the reminder was set for.
Cortana Time Reminders Artifact
Cortana Time Reminders are time-based reminders that
are triggered on a specific time. The details you can view include:
- Title - Title of the reminder.
- Status - Status of the reminder.
- Creation Date/Time - Date/Time when the reminder was created.
- Last Update Date/Time - Date/Time when the reminder was last updated.
- Completion Date/Time - Date/Time when the reminder was completed.
- Reminder Set Date/Time - Date/Time when the reminder was set.
- Last Trigger Date/Time - Date/Time when the reminder was last triggered.
For more information or suggestions please contact: [email protected]
