1 / 12

Windows 8 Forensics

Windows 8 Forensics. By: Daniel Kudrick. Windows 8. Released on October 26 th , 2012 Developers addition September 13 th , 2011 Includes a metro interface Now called modern style interface. Importance for Forensic Experts. Widely used operating system

vmaldonado
Download Presentation

Windows 8 Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Windows 8 Forensics By: Daniel Kudrick

  2. Windows 8 • Released on October 26th, 2012 • Developers addition September 13th, 2011 • Includes a metro interface • Now called modern style interface

  3. Importance for Forensic Experts • Widely used operating system • Over 40 million copies of Windows 8 were sold in the first month • Differences between Windows 7 and Windows 8

  4. Metro Interface • All applications have their own registry file • Microsoft wanted the applications to be immersive • Immersive- current application opened acts as the operating system • Provides a faster operating system • Some data associated with the metro interface is stored in plain text

  5. Internet Explorer • Split up into two different locations • Immersive IE • Desktop IE • In order to find all Internet Explorer artifacts you must locate both files • Immersive location: • %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\Recovery\Immersive\Active • Desktop IE location: • %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\Recovery\Active

  6. Communication Application • Application built into Windows 8 that allows the user to interact with another person • Facebook • Twitter • Email - gmail, outlook, hotmail • LinkedIn

  7. Communications Application • As the user posts, the messages get cached • Makes the applications run faster • Location of cache and cookies • %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCache • %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCookies • Various files on Windows 8 are hidden

  8. Communication Application • Links between a “friend” and their picture • An identification number is associated with the user to connect the user and their picture • This can help forensicators easily create a timeline between the different social networks • User’s contact • C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\1e05af9fc51a317a\120712-0049\UserTiles • User’s contact tile • C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\1e05af9fc51a317a\120712-0049\LogFiles\

  9. Registry • Previous registry files are still present • Security • Software • System • Sam • Ntuser.dat

  10. Registry • Differences in traditional registry files • Software • Metro applications installed on the system • User accounts that installed metro applications • Sam • Internet username • User Tiles • Ntuser.dat • TypeURLsTime

  11. New Registry Files • Early Launch Anit-Malware (ELAM) • Allows drivers to be scanned for malware before drivers are loaded • Anti-Malware activity will be logged here (including Windows Defender) • Browser-Based Interface • Contains immersive internet explorer browser data • Settings.dat • Contains roaming and local settings for the applications

  12. File system • NTFS • Same as Windows 7 • Windows 8 • Stores data in different locations then Windows 7 • Reason for doing this is because of the new file system(Resilient File System) implemented in Windows server 2012

More Related