“All Installed Apps” Artifact -Windows 10 Forensics

Windows Store Appstore applications have a strong potential to become more relevant in future digital forensic investigations. An increased number of applications created every day, and re-occurring updates to this tablet-pc-meshed-Operating system, means applications have a larger chance of being on your client’s system. In a world where mobile-style applications like messaging apps and games are being brought to computers, knowing what applications have been installed on the system is very important.

 

Overview:

The incredible shift Microsoft is attempting to press towards its users is the idea of mobility. More and more chunks of the general Windows community are demanding devices be faster, lighter, and more mobile. Microsoft is listening closely and trying to implement all of these desires in their newer products.

Windows 8 unleashed the initial concept of meshing the world of tablets and personal computers together. An appstore was added to the operating system that offered a plethora of tools and options at a user’s fingertips. Much like the appstores on a tablet or mobile phone, the Windows 8 appstore included plenty of high-quality applications to satisfy creators, business professionals, and those who wanted to be entertained. This idea was further improved in the release of Windows 10.

As the years progress, it is a reasonable assumption that Microsoft will further improve, refine, and push their merged OS world onto its consumers. Therefore, the devices investigators will be encountering will have a greater potential to include Windows appstore applications. Just as it is helpful in certain scenarios to know what typical applications a user has installed on his/her machine, it may be important for an investigator to know what appstore applications have been installed on the machine. To do this, we will look at the file “StateRepository-Machine.srd”

 

Analysis:

This file can be found under the path: C:\ProgramData\Microsoft\Windows\AppRepository\”

If you are doing this analysis live like I am, you will need to first give your user account adequate permissions to view the files.

permissions

 

The State Repository for the machine keeps a log of every application that is currently installed on the machine. Although there are numerous tables including vast amounts of information on the applications, our focus will be on the particular embedded table “Application”. Thankfully, this data can be effectively viewed in any database viewer, however I prefer to use “DB Browser for SQLite”. Once imported, you can export the specific table to a CSV file and view if more efficiently in excel.

Anytime an application is installed from the Windows Store appstore, it will be immediately reflected within this list. Each application included is assigned an “Application ID”, “Package” number, and “DisplayName”. The following are some examples of how display names might appear:

app name

Every application that is currently installed on the system through the Windows store will be logged in this file, moments after it is successfully installed. This includes applications that have been installed, but never launched. It is important to know that this list DOES NOT only include applications installed by a user on this system. Pre-installed system applications such as “Skype” and games such as “Candy Crush” that are still installed on this system will appear on this list.

Deleted applications will not appear in this list. However, their presence will be reflected in the unique Application IDs. Since all applications have a consecutively numbered ID that is unique to them, deleted applications will retain their number. You can detect if there are any deleted appstore applications on this system by looking for gaps in the number count, like in this example below.

kodi before deleted

deleted_will_skipAppID

As you can see above, there was once an application installed with the Display name “Kodi” and ApplicationID of 257. In the first screenshot, you can see its location on this list was originally between the “ms-resource..” application and the “Instagram” application. However, after deletion, this row has been removed and the ApplicationID “257” is skipped over. Again, it is not unusual for an application that a user has never touched to be installed or uninstalled by the system. The absence of an ApplicationID does not necessarily mean the user has deleted an application he/she has used.

I am still working on uncovering the relationships between the tables and other similar files within the system. The questions I still have yet to answer are whether appstore application launch count can be found, which user provoked the installation can be found, if the time of install/launch can be found, and so on. There are plenty of areas I have begun looking into, so time will tell.

Conclusion:

A time might exist where you would benefit from knowing what Windows Store applications were currently installed on your client’s machine. I believe this file will benefit you by at least pointing you in the right direction for this information. However, it is important to understand the limitations with this file’s data. Nevertheless, this is a step in the right direction of figuring out what exactly lives on the system in question. I will continue to research the related files/structure to reveal any further data that would help answer the questions left unsolved with this artifact. After all, who knows if the user has installed a System Cleaner application or messaging application from the Windows Store.

2 thoughts on ““All Installed Apps” Artifact -Windows 10 Forensics

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: