Forensic Implications of Cortana Application in Windows 10 Bhupendra Singh and Upasna Singh Abstract Cortana is one of the new features introduced by Microsoft in its latest version of desktop operating systems, i.e., Windows 10. The feature is identified by “Ask me anything” text box at the Start Menu and can be used for a number of tasks such as setting up reminders based on time, place, and person; searching stuff on local device or web; sending emails and texts; and more. The feature keeps track of reminders when and where they got finalized, as a result, evidentiary artifacts related to reminders are recorded in a back-end database. The forensic examination of Cortana has been largely unexplored in literature as the platform is relatively new. This paper seeks to determine the databases created by Cortana, their format, and the type of information recorded in these databases. As a part of this paper, six custom Python scripts have been developed for decoding and exporting data to aid forensic investigators. Furthermore, several experiments are conducted to extract information related to reminders such as created and last updated timestamps of a reminder, type of reminder, when a reminder got finalized, and where it got finalized. Finally, forensic usefulness of information stored in a Cortana database is demonstrated in terms of a location timeline constructed over a period of time. Keywords Windows forensics · Cortana forensics · ESE database · Edge forensics B. Singh (B ) · U. Singh Department of Computer Science and Engineering, Defence Institute of Advanced Technology (DU), Pune, India e-mail: bhupendra_pcse14@diat.ac.in U. Singh e-mail: upasnasingh@diat.ac.in © Springer Nature Singapore Pte Ltd. 2019 P. K. Sa et al. (eds.), Recent Findings in Intelligent Computing Techniques, Advances in Intelligent Systems and Computing 707, https://doi.org/10.1007/978-981-10-8639-7_7 67