Rob Lee and the SANS DFIR Faculty created this handy poster full of forensic exam cheats where you can discover key items to an activity for Microsoft Windows systems for intrusions, intellectual property theft, or common cyber-crimes. You can find the Windows Artifacts Analysis poster here.
Recently Ethan Fleisher, who is a student at Champlain College in Burlington, VT, left a comment on my Minor Update… post. An interesting topic he researched was Internet history, to include Google Chrome, Firefox, and Internet Explorer. Check out Ethan’s Windows 8 blog post, which can be found here: http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2
Speaking of Champlain College, they have a computer forensics program and a blog of the students’ research. In addition to Ethan’s Windows 8 research, the school’s blog has topics on Google Chromebook analysis, MBR Malware analysis, biometric forensics, Android memory forensics, Kindle Fire forensics, and much more. Bookmark this blog, which can be found here:
Here’s a contribution on an aspect of Windows 8 that needed more research from a member of the forensic community:
“Just wanted to thank you for your work on your Windows 8 Forensic Guide. I read through it a few days ago and there’s definitely some interesting and helpful material there. It helps give us an idea of what we might be up against when we start examining these things. I decided to do a little work with the TypedURLsTime subkey to make sure I have a good understanding of it and it’s fairly straightforward, but I figured I would write a blog post about it to help get the word out there and maybe save somebody some research one day.”
Jason did some pretty good research on this subkey, so check out his blog post at Digital Forensics Stream.
First of all, thank you so much for visiting my site, your e-mails, and spreading the word about my work. The overwhelming support has been amazing; for some reason, I did not expect it – but thank you!
A couple of you have been kind enough to point out some minor errors. Paul A. of Digital Detective e-mailed me that he has also been doing some research on Windows 8, but during the course of his research, he did not encounter any index.dat files:
“I’ve been examining Windows 8 myself (developer and consumer previews). In my research, I haven’t found any index.dat files at all – rather the Internet history gets saved in various other files, including some in the ESE DB format. I was just wondering what you did to get index.dat files generated, as I’m having no luck so far…?”
I double-checked my image and there was not a single instance of “index.dat”. The lack of index.dat files is not due to lack of luck, but rather an error on my part of typing on auto-pilot. I can only assume I saw the “dat” extension, even though I read “container.dat”, and typed “index.dat”. So, there ended up being 3 or 4 instances of “index.dat” being mentioned, and if you see “index.dat”, either download the Windows 8 Forensic Guide that has been updated or cross it off if you’ve printed it out (it saves trees)!
The other great thing about Paul (and others!) contacting me is that it’s a great way to verify my research. The e-mail traffic between Paul and I went on for a few days and he also found that his research revealed that the container.dat files in MSHISTdate-date are also 0 byte files. One more thing he also shared was
“Where you see Internet Explorer folders that include the word ‘immersive’, then as you know that indicates you’ve launched IE from that hideous front end! Try running IE from the more standard Windows desktop using the Quick Launch icon – you’ll find that the Travel log files are created in different folders, that don’t have immersive in their names!”
I hope this helps clear up some confusion (if there was any), and again, thanks again!
With a new operating system, come new forensic challenges. Microsoft’s Windows 8 is connected to everything – wherever you sign in, it’s connected. E-mail is connected to Facebook is connected to contacts is connected to Internet Explorer is connected to … you get the point.Windows 8 is an operating system “reimagined and reinvented from a solid core of Windows 7 speed and reliability”[i]. While I can neither confirm nor deny this statement, there are certainly many forensically interesting spots we are familiar with from Windows 7 and Vista, which is good for us because it means this operating system is not completely reinvented. With Windows 8, you will still find that Windows is Windows – it keeps track of everything. App Data and its Local and Roaming folders are still present. The Registry has the same structure we’ve been familiar with for quite some time. And Windows still has the same standard programs. Some things in Windows 8, however, are different.
Gone are the days when we could just sit, or read a book, or, dare I suggest it? -talk to the person next to us! – while waiting for an appointment or riding the train. Everywhere we go, we see people staring intently into their tablet or cell phone reading the latest celebrity gossip, updating Facebook, calling in sick to work, and shopping online, all while texting and driving. Hopefully not, but you get the point. And so does Microsoft. Windows 8 is an operating system geared toward mobile devices, and that is definitely evident with the new interface.
When I registered for an independent research project in my program at The George Washington University, I wanted to do something that would contribute to the computer forensic community. So I decided to take on Windows 8. And by “take on”, I mean, it consumed my life for nearly four months. No more Facebook. No more Netflix. It was just me and Windows 8 every night after work. Friday nights. Weekends. Thankfully, Windows 8 did not care that I was turning into a pasty basement-dwelling nerd subsisting off of caffeine and over-processed food.
While I am very well aware of this and other operating systems’ existence, I somehow failed to realize, despite my forensic experience and everything I have learned since I entered the industry, that I would be researching an entire operating system. Wait… what? That doesn’t make sense? Let me explain – I had this lofty goal of creating a user manual with charts and cheat sheets and compiling everything that could ever be possibly useful to a forensic examiner. While I did create a user manual with charts and cheat sheets, this is not a comprehensive guide. In fact, I would not be surprised if I did not scratch the surface of Windows 8, because while much of it is forensically similar to Windows 7, there is so much more that is completely different.
For those wondering what my research methodology was, here’s what I did:
Originally I started this project with Windows 8 Developer Preview, but when Consumer Preview came out at the end of February, I started over. I downloaded Windows 8 Consumer Preview 32-bit Edition from Microsoft and installed it in a virtual machine using VMWare Workstation 8[ii]. I used it for nearly two weeks and every couple of days I made an image using FTK Imager v3.0.1[iii]. I then used Guidance Software’s EnCase Forensic v6.17 for my examination and analysis and a variety of written resources (which have been given credit)[iv].
So, I have done my best to find forensically interesting artifacts and information in Windows 8. When I did find something, I pointed it out, attempted to figure out what was going on, and offer an explanation. When I couldn’t figure it out, I stated so, because my hope is that this user guide will be a “living” document. I want to keep it updated and as I discover new things in Windows 8, or revalidate what we already know from 7 and Vista, I will add to this. If you find something new or confirm an existing fact, please let me know and you will be credited accordingly. I have tried to keep the language of this guide easy to read, but if there is something that is unclear or I am wrong, let me know that, too.
In this guide, you will find a section on Windows Artifacts, a section devoted to the Communications App, and the last section on the Windows Registry. Boiling down this research project to just those three items doesn’t sound like much, but I think I packed a lot of information into those three sections. I learned a lot conducting this research and actually did have some fun, but what I really hope to get out of this is that you found this guide useful and it made your job as a forensic examiner a bit easier. If you have any comments or suggestions, please shoot me an e-mail at email@example.com. For updates, keep visititing this website or follow me on Twitter at propellerhead4n6.
[i] Windows. (2012). Windows 8 Consumer Preview. Windows. Retrieved from http://windows.microsoft.com/en-US/windows-8/consumer-preview.
[ii] Windows 8 Consumer Preview 32-bit Edition downloaded from: http://windows.microsoft.com/en-US/windows-8/iso.
VMWare Workstation 8: http://downloads.vmware.com/d/info/desktop_end_user_