Forensic analysis of the Windows telemetry for diagnostics

Telemetry data is stored in: &quot;%ProgramData%\Microsoft\Diagnosis\Events_*.rbs&quot;<p>The paper describes the format of these files, and what data can be obtained from them, including a comparison with other sources of similar information.<p>Recorded data includes: (1) Windows version, registration details, installed and uninstalled programs; (2) hardware devices with serial numbers; (3) process execution data (at Enhanced or Full levels only, data might not include processes that only ran briefly); (4) partition table and boot timestamps (when the system was powered on and off).<p>In the analyzed examples the data was available for roughly the past three months.

&gt; Since PII have not found so far and Microsoft stated privacy principles with no personal content<p>I&#x27;m going to have to disagree with the authors of the paper, here.<p>Whilst the information they&#x27;ve found may not appear to be PII at first, it is very far from anonymous.<p>It has everything required for active fingerprinting of individual devices - namely, the UIDs of the hardware of the computer. Things that don&#x27;t regularly change, and things that may show habits.<p>Combining this dataset with another is all it would take to break from pseudo-anonymous to known individuals. However, enough information is there to uniquely fingerprint most users.

RBS file parsers (Python) the authors wrote, along with the sample telemetry data files used in the study: <a href="https:&#x2F;&#x2F;github.com&#x2F;JaehyeokHan&#x2F;Windows-Telemetry" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;JaehyeokHan&#x2F;Windows-Telemetry</a>

Excellent paper.<p>I have questions:<p>1) is turning off telemetry (opt-out) effective against this? 2) How will this be different between licenses? I would be very interested to see what is collectes when you have something like an E5 license and have Defender ATP and AIP turned on (I don&#x27;t have that currently). I recall it sends a ton of data (&gt;2000k dns requests&#x2F;hour for an active user just for new connections to MS) perhaps some of that is left on disk? Would file classification with AIP (e.g.: new document&#x2F;email is created) be logged? Is it fair to assume the Win10 they tested with is not for enterprise?

I was hoping to find out if it collects keystrokes but authors seem not to mention it.