Windows 8 forensics
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

Windows 8 Forensics PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on
  • Presentation posted in: General

Windows 8 Forensics. By: Daniel Kudrick. Windows 8. Released on October 26 th , 2012 Developers addition September 13 th , 2011 Includes a metro interface Now called modern style interface. Importance for Forensic Experts. Widely used operating system

Download Presentation

Windows 8 Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Windows 8 forensics

Windows 8 Forensics

By: Daniel Kudrick


Windows 8

Windows 8

  • Released on October 26th, 2012

    • Developers addition September 13th, 2011

  • Includes a metro interface

    • Now called modern style interface


Importance for forensic experts

Importance for Forensic Experts

  • Widely used operating system

    • Over 40 million copies of Windows 8 were sold in the first month

  • Differences between Windows 7 and Windows 8


Metro interface

Metro Interface

  • All applications have their own registry file

  • Microsoft wanted the applications to be immersive

    • Immersive- current application opened acts as the operating system

    • Provides a faster operating system

    • Some data associated with the metro interface is stored in plain text


Internet explorer

Internet Explorer

  • Split up into two different locations

    • Immersive IE

    • Desktop IE

  • In order to find all Internet Explorer artifacts you must locate both files

    • Immersive location:

      • %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\Recovery\Immersive\Active

    • Desktop IE location:

      • %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\Recovery\Active


Communication application

Communication Application

  • Application built into Windows 8 that allows the user to interact with another person

    • Facebook

    • Twitter

    • Email - gmail, outlook, hotmail

    • LinkedIn


Communications application

Communications Application

  • As the user posts, the messages get cached

    • Makes the applications run faster

  • Location of cache and cookies

    • %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCache

    • %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCookies

  • Various files on Windows 8 are hidden


Communication application1

Communication Application

  • Links between a “friend” and their picture

    • An identification number is associated with the user to connect the user and their picture

      • This can help forensicators easily create a timeline between the different social networks

    • User’s contact

      • C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\1e05af9fc51a317a\120712-0049\UserTiles

    • User’s contact tile

      • C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\1e05af9fc51a317a\120712-0049\LogFiles\


Registry

Registry

  • Previous registry files are still present

    • Security

    • Software

    • System

    • Sam

    • Ntuser.dat


Registry1

Registry

  • Differences in traditional registry files

    • Software

      • Metro applications installed on the system

      • User accounts that installed metro applications

    • Sam

      • Internet username

      • User Tiles

    • Ntuser.dat

      • TypeURLsTime


New registry files

New Registry Files

  • Early Launch Anit-Malware (ELAM)

    • Allows drivers to be scanned for malware before drivers are loaded

    • Anti-Malware activity will be logged here (including Windows Defender)

  • Browser-Based Interface

    • Contains immersive internet explorer browser data

  • Settings.dat

    • Contains roaming and local settings for the applications


File system

File system

  • NTFS

    • Same as Windows 7

  • Windows 8

    • Stores data in different locations then Windows 7

    • Reason for doing this is because of the new file system(Resilient File System) implemented in Windows server 2012


  • Login