Windows 8 Forensics By: Daniel Kudrick Windows 8 Released on October 26th, 2012 Developers addition September 13th, 2011 Includes a metro interface Now called modern style interface Importance for Forensic Experts Widely used operating system Over 40 million copies of Windows 8 were sold in the first month Differences between Windows 7 and Windows 8 Metro Interface All applications have their own registry file Microsoft wanted the applications to be immersive Immersive- current application opened acts as the operating system Provides a faster operating system Some data associated with the metro interface is stored in plain text Internet Explorer Split up into two different locations Immersive IE Desktop IE In order to find all Internet Explorer artifacts you must locate both files Immersive location: %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\ Recovery\Immersive\Active Desktop IE location: %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\ Recovery\Active Communication Application Application built into Windows 8 that allows the user to interact with another person Facebook Twitter Email - gmail, outlook, hotmail LinkedIn Communications Application As the user posts, the messages get cached Makes the applications run faster Location of cache and cookies %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunica tionsapps_8wekyb3d8bbwe\AC\INetCache %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunica tionsapps_8wekyb3d8bbwe\AC\INetCookies Various files on Windows 8 are hidden Communication Application Links between a “friend” and their picture An identification number is associated with the user to connect the user and their picture This can help forensicators easily create a timeline between the different social networks User’s contact C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ LocalState\LiveComm\1e05af9fc51a317a\120712-0049\UserTiles User’s contact tile C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ LocalState\LiveComm\1e05af9fc51a317a\120712-0049\LogFiles\ Registry Previous registry files are still present Security Software System Sam Ntuser.dat Registry Differences in traditional registry files Software Metro applications installed on the system User accounts that installed metro applications Sam Internet username User Tiles Ntuser.dat TypeURLsTime New Registry Files Early Launch Anit-Malware (ELAM) Allows drivers to be scanned for malware before drivers are loaded Anti-Malware activity will be logged here (including Windows Defender) Browser-Based Interface Contains immersive internet explorer browser data Settings.dat Contains roaming and local settings for the applications File system NTFS Same as Windows 7 Windows 8 Stores data in different locations then Windows 7 Reason for doing this is because of the new file system(Resilient File System) implemented in Windows server 2012