windows 8 forensics n.
Download
Skip this Video
Download Presentation
Windows 8 Forensics

Loading in 2 Seconds...

play fullscreen
1 / 12

Windows 8 Forensics - PowerPoint PPT Presentation


  • 196 Views
  • Uploaded on

Windows 8 Forensics. By: Daniel Kudrick. Windows 8. Released on October 26 th , 2012 Developers addition September 13 th , 2011 Includes a metro interface Now called modern style interface. Importance for Forensic Experts. Widely used operating system

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Windows 8 Forensics' - wynn


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
windows 8 forensics

Windows 8 Forensics

By: Daniel Kudrick

windows 8
Windows 8
  • Released on October 26th, 2012
    • Developers addition September 13th, 2011
  • Includes a metro interface
    • Now called modern style interface
importance for forensic experts
Importance for Forensic Experts
  • Widely used operating system
    • Over 40 million copies of Windows 8 were sold in the first month
  • Differences between Windows 7 and Windows 8
metro interface
Metro Interface
  • All applications have their own registry file
  • Microsoft wanted the applications to be immersive
    • Immersive- current application opened acts as the operating system
    • Provides a faster operating system
    • Some data associated with the metro interface is stored in plain text
internet explorer
Internet Explorer
  • Split up into two different locations
    • Immersive IE
    • Desktop IE
  • In order to find all Internet Explorer artifacts you must locate both files
    • Immersive location:
      • %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\Recovery\Immersive\Active
    • Desktop IE location:
      • %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\Recovery\Active
communication application
Communication Application
  • Application built into Windows 8 that allows the user to interact with another person
    • Facebook
    • Twitter
    • Email - gmail, outlook, hotmail
    • LinkedIn
communications application
Communications Application
  • As the user posts, the messages get cached
    • Makes the applications run faster
  • Location of cache and cookies
    • %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCache
    • %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetCookies
  • Various files on Windows 8 are hidden
communication application1
Communication Application
  • Links between a “friend” and their picture
    • An identification number is associated with the user to connect the user and their picture
      • This can help forensicators easily create a timeline between the different social networks
    • User’s contact
      • C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\1e05af9fc51a317a\120712-0049\UserTiles
    • User’s contact tile
      • C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\1e05af9fc51a317a\120712-0049\LogFiles\
registry
Registry
  • Previous registry files are still present
    • Security
    • Software
    • System
    • Sam
    • Ntuser.dat
registry1
Registry
  • Differences in traditional registry files
    • Software
      • Metro applications installed on the system
      • User accounts that installed metro applications
    • Sam
      • Internet username
      • User Tiles
    • Ntuser.dat
      • TypeURLsTime
new registry files
New Registry Files
  • Early Launch Anit-Malware (ELAM)
    • Allows drivers to be scanned for malware before drivers are loaded
    • Anti-Malware activity will be logged here (including Windows Defender)
  • Browser-Based Interface
    • Contains immersive internet explorer browser data
  • Settings.dat
    • Contains roaming and local settings for the applications
file system
File system
  • NTFS
    • Same as Windows 7
  • Windows 8
    • Stores data in different locations then Windows 7
    • Reason for doing this is because of the new file system(Resilient File System) implemented in Windows server 2012
ad