Propeller Head Forensics

Rob Lee and the SANS DFIR Faculty created this handy poster full of forensic exam cheats where you can discover key items to an activity for Microsoft Windows systems for intrusions, intellectual property theft, or common cyber-crimes.  You can find the Windows Artifacts Analysis poster here.

Kenneth Johnson from has contributed to the forensic community by researching File History Services, Restore Points, Refresh Points, and System Reset in Windows 8.

On June 12th, Ken (can I call you “Ken”?) discussed File History Services in a SANS Webcast, in which he briefly discussed what it is, how it’s configured, and its artifacts.  This research can be found on a link in his blog or you can click here.  He’s even released his own RegRipper Plugin for the HKU File History key.

Ken’s research on Windows 8 recovery options offers a peek into changes a forensic examiner will see.  This research can be found here.

Again, it looks like we are learning some useful information about Windows 8.  Feel free to contact me about any research you have conducted or are conducting so I can share your work.

Recently Ethan Fleisher, who is a student at Champlain College in Burlington, VT, left a comment on my Minor Update… post.  An interesting topic he researched was Internet history, to include Google Chrome, Firefox, and Internet Explorer.  Check out Ethan’s Windows 8 blog post, which can be found here:

Speaking of Champlain College, they have a computer forensics program and a blog of the students’ research.  In addition to Ethan’s Windows 8 research, the school’s blog has topics on Google Chromebook analysis, MBR Malware analysis, biometric forensics, Android memory forensics, Kindle Fire forensics, and much more.  Bookmark this blog, which can be found here:

Happy reading!

Before Windows 8 goes on sale, you have an opportunity to test it out.  It was released yesterday afternoon and will be the final sneak-peek release before it goes on sale to the public.  You can download it from here:

There’s lots of useful information on the official Microsoft Windows 8 blog for those who are interested in learning more about the user interface and what’s going on behind the scenes.  A majority of Windows 8 stuff can be found here:

And one last thing – Windows announced today that beginning June 2, 2012 Microsoft will roll out the Windows Upgrade Offer in 131 markets including the US and Canada. Consumers who purchase eligible Windows 7 PCs that are pre-installed with Windows 7 Home Basic, Home Premium, Professional, or Ultimate and include a matching and valid OEM Certificate of Authenticity through January 31, 2013 will be able to purchase an upgrade to Windows 8 Pro for $14.99 (U.S.) which will be redeemable when Windows 8 is generally available (the program expires in February 2013). For more on the editions of Windows 8, see this blog post. When consumers register for the Windows Upgrade Offer, they will be able to download Windows 8 Pro starting the day it’s made generally available and the upgrade comes with 90 days of support from Microsoft.  This is definitely a low-cost way to build out your forensic software library for testing purposes or building a virtual machine.

As always, if there are any questions, please leave a comment or contact me at


Here’s a contribution on an aspect of Windows 8 that needed more research from a member of the forensic community:

“Just wanted to thank you for your work on your Windows 8 Forensic Guide.  I read through it a few days ago and there’s definitely some interesting and helpful material there.  It helps give us an idea of what we might be up against when we start examining these things.  I decided to do a little work with the TypedURLsTime subkey to make sure I have a good understanding of it and it’s fairly straightforward, but I figured I would write a blog post about it to help get the word out there and maybe save somebody some research one day.”

Jason did some pretty good research on this subkey, so check out his blog post at Digital Forensics Stream.


Hi everyone!
First of all, thank you so much for visiting my site, your e-mails, and spreading the word about my work.  The overwhelming support has been amazing; for some reason, I did not expect it – but thank you!

A couple of you have been kind enough to point out some minor errors.  Paul A. of Digital Detective e-mailed me that he has also been doing some research on Windows 8, but during the course of his research, he did not encounter any index.dat files:
“I’ve been examining Windows 8 myself (developer and consumer previews).  In my research, I haven’t found any index.dat files at all – rather the Internet history gets saved in various other files, including some in the ESE DB format.  I was just wondering what you did to get index.dat files generated, as I’m having no luck so far…?”

I double-checked my image and there was not a single instance of “index.dat”.  The lack of index.dat files is not due to lack of luck, but rather an error on my part of typing on auto-pilot.  I can only assume I saw the “dat” extension, even though I read “container.dat”, and typed “index.dat”.  So, there ended up being 3 or 4 instances of “index.dat” being mentioned, and if you see “index.dat”, either download the Windows 8 Forensic Guide that has been updated or cross it off if you’ve printed it out (it saves trees)!

The other great thing about Paul (and others!) contacting me is that it’s a great way to verify my research.  The e-mail traffic between Paul and I went on for a few days and he also found that his research revealed that the container.dat files in MSHISTdate-date are also 0 byte files.  One more thing he also shared was

“Where you see Internet Explorer folders that include the word ‘immersive’, then as you know that indicates you’ve launched IE from that hideous front end! ;-)  Try running IE from the more standard Windows desktop using the Quick Launch icon – you’ll find that the Travel log files are created in different folders, that don’t have immersive in their names!”

I hope this helps clear up some confusion (if there was any), and again, thanks again!


Do you like free stuff?  Even better, how about something that might make your job easier?  If so, download the Windows 8 Forensic Guide.  It contains information on the Windows 8 user interface, Local and Roaming folder artifacts, the Communications App, and a variety of Registry locations.  Unless otherwise noted, this is also useful for Windows 7 and Vista.  The Windows 8 Forensic Guide has plenty of screen shots and hyperlinks to quickly get you where you need to be within the guide, so check it out!

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 78 other followers

Past Posts



Get every new post delivered to your Inbox.

Join 78 other followers

%d bloggers like this: