Windows 8 Forensics
By: Daniel Kudrick
Windows 8
 Released on October 26th, 2012
 Developers addition September 13th, 2011
 Includes a metro interface
 Now called modern style interface
Importance for Forensic Experts
 Widely used operating system
 Over 40 million copies of Windows 8 were sold in the first
month
 Differences between Windows 7 and Windows 8
Metro Interface
 All applications have their own registry file
 Microsoft wanted the applications to be immersive
 Immersive- current application opened acts as the operating
system
 Provides a faster operating system
 Some data associated with the metro interface is stored in plain
text
Internet Explorer
 Split up into two different locations
 Immersive IE
 Desktop IE
 In order to find all Internet Explorer artifacts you must
locate both files
 Immersive location:
 %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\
Recovery\Immersive\Active
 Desktop IE location:
 %root%\users\%user%\AppData\Local\Microsoft\InternetExplorer\
Recovery\Active
Communication Application
 Application built into Windows 8 that allows the user to
interact with another person
 Facebook
 Twitter
 Email - gmail, outlook, hotmail
 LinkedIn
Communications Application
 As the user posts, the messages get cached
 Makes the applications run faster
 Location of cache and cookies
 %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunica
tionsapps_8wekyb3d8bbwe\AC\INetCache
 %root%\Users\%user%\AppData\Local\Packages\microsoft.windowscommunica
tionsapps_8wekyb3d8bbwe\AC\INetCookies
 Various files on Windows 8 are hidden
Communication Application
 Links between a “friend” and their picture
 An identification number is associated with the user to connect
the user and their picture
 This can help forensicators easily create a timeline between the different
social networks
 User’s contact
 C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
LocalState\LiveComm\1e05af9fc51a317a\120712-0049\UserTiles
 User’s contact tile
 C:\Users\daniel\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
LocalState\LiveComm\1e05af9fc51a317a\120712-0049\LogFiles\
Registry
 Previous registry files are still present
 Security
 Software
 System
 Sam
 Ntuser.dat
Registry
 Differences in traditional registry files
 Software
 Metro applications installed on the system
 User accounts that installed metro applications
 Sam
 Internet username
 User Tiles
 Ntuser.dat
 TypeURLsTime
New Registry Files
 Early Launch Anit-Malware (ELAM)
 Allows drivers to be scanned for malware before drivers are
loaded
 Anti-Malware activity will be logged here (including Windows
Defender)
 Browser-Based Interface
 Contains immersive internet explorer browser data
 Settings.dat
 Contains roaming and local settings for the applications
File system
 NTFS
 Same as Windows 7
 Windows 8
 Stores data in different locations then Windows 7
 Reason for doing this is because of the new file system(Resilient
File System) implemented in Windows server 2012