Forensic Insights into Windows 11’s Capability Access Manager Artifacts

Forensic Insights into Windows 11’s Capability Access Manager Artifacts

연구 분야: Analysis

학회: International Conference on Availability, Reliability and Security

This paper presents a digital forensic methodology for investigating application access to sensitive hardware resources through Windows 11’s Capability Access Manager (CAM) service. The CAM maintains detailed logs of requests and accesses by applications to devices and services such as microphones, cameras, and locations, as well as operations such as screen capture and contacts access. Data kept by CAM can provide timeline information to investigators in privacy-related cases. We analyze the structure, location, and evidentiary value of CAM artifacts in Windows 11 23H2 and 24H2 versions, documenting registry keys and database entries that record hardware access permissions, timestamps, and identifiers for accounts, namely secure identifiers (SIDs), and applications. Our research demonstrates how these artifacts can establish application behavior patterns and provide an additional path to detect the execution of applications and their access to privacy-sensitive devices and services. Additionally, we introduce WLEAPP-CAM, a module for the WLEAPP (Windows Logs Events And Properties Parser) forensic software. This module streamlines the examination of the CAM SQLite 3 database, enabling investigators to filter, interpret, and export the most pertinent evidence. Tests performed on Windows 11 versions 23H2 and 24H2 confirm the reliability of CAM artifacts for forensic purposes, although with some limitations due to the 30-day retention window and the restriction to applications that effectively request access to CAM managed resources and services.