Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Operating Systems

Windows 8 Forensics

advertisement 
Windows 8 Forensics
By: Daniel Kudrick
Windows 8
 Released on October 26th, 2012
 Developers addition September 13th, 2011
 Includes a metro interface
 Now called modern style interface
Importance for Forensic Experts
 Widely used operating system
 Over 40 million copies of Windows 8 were sold in the first
month
 Differences between Windows 7 and Windows 8
Metro Interface
 All applications have their own registry file
 Microsoft wanted the applications to be immersive
 Immersive- current application opened acts as the operating
system
 Provides a faster operating system
 Some data associated with the metro interface is stored in plain
text
Internet Explorer
 Split up into two different locations
 Immersive IE
 Desktop IE
 In order to find all Internet Explorer artifacts you must
locate both files
 Immersive location:
 %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\
Recovery\Immersive\Active
 Desktop IE location:
 %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\
Recovery\Active
Communication Application
 Application built into Windows 8 that allows the user to
interact with another person
 Facebook
 Twitter
 Email - gmail, outlook, hotmail
 LinkedIn
Communications Application
 As the user posts, the messages get cached
 Makes the applications run faster
 Location of cache and cookies
 %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunica
tionsapps_8wekyb3d8bbwe\AC\INetCache
 %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunica
tionsapps_8wekyb3d8bbwe\AC\INetCookies
 Various files on Windows 8 are hidden
Communication Application
 Links between a “friend” and their picture
 An identification number is associated with the user to connect
the user and their picture
 This can help forensicators easily create a timeline between the different
social networks
 User’s contact
 C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
LocalState\LiveComm\1e05af9fc51a317a\120712-0049\UserTiles
 User’s contact tile
 C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
LocalState\LiveComm\1e05af9fc51a317a\120712-0049\LogFiles\
Registry
 Previous registry files are still present
 Security
 Software
 System
 Sam
 Ntuser.dat
Registry
 Differences in traditional registry files
 Software
 Metro applications installed on the system
 User accounts that installed metro applications
 Sam
 Internet username
 User Tiles
 Ntuser.dat
 TypeURLsTime
New Registry Files
 Early Launch Anit-Malware (ELAM)
 Allows drivers to be scanned for malware before drivers are
loaded
 Anti-Malware activity will be logged here (including Windows
Defender)
 Browser-Based Interface
 Contains immersive internet explorer browser data
 Settings.dat
 Contains roaming and local settings for the applications
File system
 NTFS
 Same as Windows 7
 Windows 8
 Stores data in different locations then Windows 7
 Reason for doing this is because of the new file system(Resilient
File System) implemented in Windows server 2012
Related documents
CIA 4U What goods/services should our society produce & how much?
CIA 4U What goods/services should our society produce & how much?
Scm micro usbat 02 device driver
Scm micro usbat 02 device driver
ASP.NET MVC
ASP.NET MVC
Cloud OS Vision Deck Full Version
Cloud OS Vision Deck Full Version
Specific - Bedford/St. Martin`s
Specific - Bedford/St. Martin`s
Forensic Artifacts & Analysis 1
Forensic Artifacts & Analysis 1
Module 08 - Microsoft Lync - Lync Client and
Module 08 - Microsoft Lync - Lync Client and
Slide 1 - Western Cape Government
Slide 1 - Western Cape Government
Office 365 FOR ENTERPRISE CUSTOMERS
Office 365 FOR ENTERPRISE CUSTOMERS
Nursing Assessment - Lake Michigan College
Nursing Assessment - Lake Michigan College
ipc374
ipc374
The Five Senses
The Five Senses
Download
advertisement