- Feb 8, 2017
- 1
- 0
- 0
First post on here so apologies if I don't follow the norms...
After some research in to the Windows 10 Cortana assistant, it seemed apparent that the two main databases to store user data associated with the application are:
• \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\AppData\Indexed DB\IndexedDB.edb
• \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat
I have no issues accessing the' \...\IndexedDB\IndexedDB.edb' database, however cannot access the '\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat' file. I can get as far as the '\LocalState\' directory however the '\'ESEDatabase_CortanaCoreInstance\' directory does not exist. I have tried viewing hidden and system files, and also mounted the disk to a hex editor however the directory is still not present.
In addition, I have tried searching the full file system for the 'CortanaCoreDB.dat' file however no search results which match are returned.
I am running Windows 10 Home Version 1607 (OS Build 14393.693). I also installed the same build using a .iso file downloaded from Microsoft website which were installed on two virtual machines. I am having the same 'issue' on my host machine and two virtual machines. It is worth noting I have experienced no issues with the Cortana Assistant itself.
Is this database/directory not available on my build of Windows, or has the location of the data changed?
Cortana - ForensicsWiki
https://www.linkedin.com/pulse/windows-10-cortana-notification-center-forensics-brent-muir
https://www.syntricate.com/files/computer-forensics/WINDOWS 10 ARTIFACT LIST.pdf
Thanks for any help.
Ryan
After some research in to the Windows 10 Cortana assistant, it seemed apparent that the two main databases to store user data associated with the application are:
• \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\AppData\Indexed DB\IndexedDB.edb
• \Users\user_name\AppData\Local\Packages\Microsoft.Windows.Cortana_xxxx\LocalState\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat
I have no issues accessing the' \...\IndexedDB\IndexedDB.edb' database, however cannot access the '\ESEDatabase_CortanaCoreInstance\CortanaCoreDb.dat' file. I can get as far as the '\LocalState\' directory however the '\'ESEDatabase_CortanaCoreInstance\' directory does not exist. I have tried viewing hidden and system files, and also mounted the disk to a hex editor however the directory is still not present.
In addition, I have tried searching the full file system for the 'CortanaCoreDB.dat' file however no search results which match are returned.
I am running Windows 10 Home Version 1607 (OS Build 14393.693). I also installed the same build using a .iso file downloaded from Microsoft website which were installed on two virtual machines. I am having the same 'issue' on my host machine and two virtual machines. It is worth noting I have experienced no issues with the Cortana Assistant itself.
Is this database/directory not available on my build of Windows, or has the location of the data changed?
Cortana - ForensicsWiki
https://www.linkedin.com/pulse/windows-10-cortana-notification-center-forensics-brent-muir
https://www.syntricate.com/files/computer-forensics/WINDOWS 10 ARTIFACT LIST.pdf
Thanks for any help.
Ryan
Facebook
Twitter
Instagram