Hello Reader,
Today I gave a presentation on Windows Hello Forensics to the HTCIA Northeast chapter. I wanted to share the presentation here for the attendees and anyone else interested in seeing it all the prior blog posts data in one place.
If you like the slides I made them using Chat GPT 4o and I'll go through the prompts I used in tomorrows blog!
You can download them here:
Hello, Reader,
The bonus question in this challenge asked where Windows stores the biometric data used for facial recognition or fingerprint authentication. It turns out that this information is kept in a database located at:
\Windows\System32\WinBioDatabase
Inside this folder, you’ll find files named with GUIDs and a .DAT extension, for example:
DC576DA6-D676-4A15-906D-C0CEAF949543.DAT
These files contain an encrypted and hashed version of a user’s identity that Windows uses for system authentication. This process is part of the Windows Biometric Framework. For more details, check out the Biometric Framework Overview on Microsoft Learn.
The encryption key being used remains unclear, and it’s possible that these keys are stored in a TPM chip. I’ll take a closer look at this file in my next post to see if the Data Protection API is also being utilized.
Stay tuned!
Also Read:
Windows hello challenge part 3
Windows hello challenge part 2
Windows hello challenge part 1
Hello Readers,
Believe it or not, I recently purchased a Windows Hello-compatible fingerprint reader purely to test its capabilities and examine the logs it generates. I’m pleased to report that the investment paid off—there’s now an event log entry in Microsoft-Windows-Biometrics that confirms a successful fingerprint-based authentication.
Here’s the log entry it's event id 1004:
The Windows Biometric Service successfully identified
<hostname>\<username>(S-1-5-21-3400467401-1001) using sensor: VeriMark DT Fingerprint Key (USB\VID_047D&PID_00F2&MI_01\7&163AA6B8&0&0001).
Much like facial recognition, this distinct log entry clearly indicates that a person (or someone who managed to spoof the sensor) was present at the keyboard.
Also Read:
Windows hello challenge part 4
Hello Reader,
Continuing from yesterday’s entry—where we explored the logs for biometric face-scanning authentication in Windows Hello—today we’re taking a closer look at PIN-based authentication. With a PIN, you can sign in using a simple number sequence instead of a full password.
To test this out, I ensured my PIN was already set up, locked my workstation, and then unlocked it using the PIN. Here’s what I observed in the security logs:
Event ID 4624: I found two entries related to my sign-in. One of these events is marked as type 11, which indicates:
CachedInteractive: A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller wasn't contacted to verify the credentials.
The other was a Type 7: Which indicated that my workstation was unlocked.
Additionally, the logon process is recorded as “Negotiat,” and the authentication package is listed as “Negotiate” as well.
Interestingly, I didn’t come across any specific logs that would clearly indicate a PIN was used. I was hoping to find entries in either the Windows Hello for Business or User Device Registration logs—similar to what we see with biometric logins—but neither those logs nor the biometric logs provided any details related to the PIN-based login.
Next on my list is testing a Windows Hello–approved fingerprint scanner. Stay tuned for more updates on that front!
Also Read:
Windows hello challenge part 4
Windows hello challenge part 3
Windows hello challenge part 1
Hello Readers,
Last week’s Sunday Funday challenge had me asking you all to test Windows Hello and discover what traces it leaves behind after authentication. Since the community couldn’t pinpoint the answer, I decided to dive in and do the testing myself.
Part 1: Facial Recognition
I started by focusing on the aspect that interests me most—facial recognition. Why facial recognition because it would indicate whose face was being presented and in theory who is actually at the keyboard. I purchased a Windows Hello-capable webcam that uses a facial scan for authentication. After installing it, I rebooted my computer, logged in using the facial scan, and then locked and unlocked the computer with Windows Hello.
Digging Into the Event Logs
First, I checked the Security Event Log. As expected, I found several Event ID 4624 entries. However, these only showed “Type 11 (cached credentials)”—there was no mention of Windows Hello or the facial scan being used for authentication.
After some research, I discovered a custom Microsoft log called Microsoft-Windows-Biometrics/Operational. There, I found Event ID 1605, which read:
"The Windows Biometric Service secure component successfully authorized user (domain)<user>"
This confirmed that biometric authentication had taken place, but it didn’t specify which method was used. Looking two events earlier, I found Event ID 1019, which provided the missing details:
"The Windows Biometric Service completed a privileged vendor-specific operation for sensor: Facial Recognition (Windows Hello) Software Device (ROOT\WINDOWSHELLOFACESOFTWAREDRIVER\0000).
The command was directed to the biometric unit's 'Sensor Adapter' component."
This closed the loop for me. I now know exactly which biometric device was used, which user was authenticated, and that the login was successful—all thanks to facial recognition.
Stay tuned for the next part, where I’ll explore PIN-based logins and what they leave behind!
Also Read:
Windows hello challenge part 4
Windows hello challenge part 3
Windows hello challenge part 2
Hello Reader,
It's Sunday! This week's challenge is all about Windows Hello! There is always a discussion of who was actually in front of the computer and with Windows Hello there is a chance you can say it was actually a certain person if they were using one of the biometric features. Let's see what you can determine from the logs left behind.
Test and document what logs are left behind when using Windows Hello to login into a Windows 10/11 system. This should include:
1. PIN Login
2. Fingerprint login (optional)
3. Facial Recognition login (preferred but optional)
bonus points for determining where the data for the authentication is stored.
Also Read: Solution Saturday 2/1/25
