Exploring the New Rebuilt Desktop Artifact in Magnet AXIOM
As a part of the AXIOM 3.9 release, we’ve added a new Windows 10 artifact for examiners wanting to quickly visualize what a user’s desktop looked like at the time of imaging. Update within AXIOM or download AXIOM 3.9 over at Customer Portal today!
Rebuilt Desktops is a new artifact that allows users to view an approximation of what a given Windows user’s desktop looks like, including wallpapers, monitor configurations, and icon positioning, without having to virtualize the image. Many examiners, as part of their court preparation, will virtualize images in an effort to show non-technical stakeholders the look and feel of someone’s Windows environment. While this is powerful when it comes to painting a clear picture of possible intent of a suspect, virtualizing an image often requires additional software and time. The Rebuilt Desktops artifact aims to help provide a visual reference without the need of virtualizing the entire suspect machine.
Key Considerations
AXIOM’s Rebuilt Desktops artifact programmatically goes through specific registry keys and processes this data to replicate how the desktop looked on the live Windows machine for each user. This artifact has been designed to support investigations of Windows 10 systems.
What AXIOM Displays
The Details column will offer both the visual preview of the user’s desktop, as well as details surrounding the creation of the artifact. These details consist of:
- User Account – The account the Desktop belonged to
- Wallpaper Path(s) – The location of the Desktop Background image
- If not a picture (e.g. a color), this will be blank
- Background – What the background display was (Color, Slideshow, or Picture)
- Desktop icons – Icons including programs, folders, and files and their last known location on the desktop
- Display Configuration – Was this a part of a single or multi-monitor configuration
- Multi-Monitor means there are multiple hits
- Monitor ID – The hardware identifier of the monitor this was displayed on
- Hidden Files Present – Boolean value representing if any icons were set to hidden on the Desktop
- Hidden icons are drawn as translucent
- Sources – The location of each registry key or folder path we are using to draw the Rebuilt Desktop
Examiner Considerations
Keeping with the methodology Magnet Forensics has established with an artifact first approach, we hope the Desktop Recreation artifact will help expediate examiners investigations when they need to have a visual representation of how the user’s desktop appeared. While our engineers have done their due-diligence in providing as accurate of a look and feel as possible, it’s important to keep these considerations in mind when referencing this artifact.
- Windows 10 support only
- If there is no monitor configuration data, AXIOM defaults to single monitor, 1920×1080 in resolution.
- If there is no wallpaper data, AXIOM default to Windows 10 default wallpaper. If data is corrupted or we cannot recover data, AXIOM returns a black background.
- If there is no taskbar data, we default to taskbar at the bottom with Windows Start button, Cortana search box, Task View icon, Clock and Notification Tray icon.
- If there is no icon position data, AXIOM will display icons top-down, left-to-right starting with the top-left corner.
- If AXIOM failed to extract an icon from .exe or .lnk that points to an executable, we use default application icon.
- Taskbar clock displays time of the monitor configuration. If the data isn’t available, AXIOM displays the clock display time during scan.
If you haven’t tried AXIOM yet, request a free 30-day trial here, and if there are additional artifacts you’d like to see supported in AXIOM or if you have any questions, please don’t hesitate to reach out to me at trey.amick@magnetforensics.com.