Saturday, July 21, 2018

Daily Blog #429: Solution Saturday 7/21/18

Hello Reader,
            Another week, another challenge. It came down to the wire, that I extended, but we have an answer and a winner. This week's winner Justin Boncaldo sent in the only entry, many others were talking but didn't submit! So remember that submitting is half way to winning when tomorrow's challenge gets posted!



The Challenge:
Cortana used to have a database that kept track of location information and other relevant DFIR data. As of a year ago the database has changed and the location data is nowhere to be found. For this weeks challenge please answer the following questions:
1. Where does Cortana keep it's data now
2. What data does Cortana retain now 
3. Is there any location history left from Cortana

The Winning Answer from Justin Boncaldo:

My brief and initial findings of Cortana's local data. *Note: Due to my initial lack of knowledge on Cortana data, this information was compiled based on my best judgement and is possible to be incorrect. 


As you know, Microsoft's Cortana used to store forensically valuable information within
 - 'CortanaCoreDb.dat' [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/localstate/ESEDatabase_CortanaCoreInstance] and
 - 'IndexedDB.dat' [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/appdata/indexed DB/]

1. It appears that the majority of Cortana's data is now stored in the cloud, and then requested on a necessary basis. By keeping most of a user's data on their own servers, Microsoft helps strengthen user security, allows seamless transition between devices, and allows for data to be utilized faster.

2. Although the two databases still exist on the system, not user data appears to be stored there anymore. Cortana currently mostly stores numerous json files and visual assets locally; necessary for the use of the application and a functional connection to be built with the servers. However, I was able to find two locations with potentially useful information. The first being "Local Recorder" at path  [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/Localstate/LocalRecorder/Speech/SavedAudio]   . This appears to contain locally stored instances of the audio recordings that Cortana takes. WAV audio files are saved using the shortname naming convention, and will automatically delete themselves from the system over time. Audio playback has not been successful for me yet, because these files are displayed with a filesize of 0 Kb. I have yet to compare this creation timestamp to that of a Cortana activation instance.  The second piece of data is WIFI data located at: [user/appdata/local/packages/Microsoft.Windows.Cortana.cw5n1h2txyewy/Localstate/signals/collection/Wifi]. This file stores the network SSID that the device was connected to at the time of voice commands. Unfortunately, this information is also deleted after some time and more testing needs to be done with this.

3. I believe these two locations could both hold valuable information to support other location data. Although they are not directly connected the user to a specific location on the earth, they might be showing that the user was using Cortana's voice commands at a specific time, and that they were connected to a specific network connection at that time too. Again, this is not direct data -and is apparently extremely volatile. More testing will be done to observe more actions of Cortana.