The Windows 10 “Spring Creators Update” (RS4/1803) has brought a lot of changes from functionality and forensic artifact perspectives. I’ve been digging into them, starting with Cortana. A lot of existing Cortana knowledge in the forensic community no longer applies with RS4.
I’m going to use this post to continually update my findings.
Nirsoft’s ESE Database Viewer is still the best program to use for viewing the EDB format files found within Cortana’s folders.
- The structure and contents of the local user Cortana package folder has changed.
- CortanaCoreDb.dat is no longer a file on disk.
- Interesting lists of Apps and Settings synonyms exist. These may have existed in previous versions of Windows 10 but I hadn’t actually read them until now.
- IndexedDB.edb still exists and still seems to contain the same data laid out on the ForensicsWiki page.