Rob Lee and the SANS DFIR Faculty created this handy poster full of forensic exam cheats where you can discover key items to an activity for Microsoft Windows systems for intrusions, intellectual property theft, or common cyber-crimes. You can find the Windows Artifacts Analysis poster here.
Recently Ethan Fleisher, who is a student at Champlain College in Burlington, VT, left a comment on my Minor Update… post. An interesting topic he researched was Internet history, to include Google Chrome, Firefox, and Internet Explorer. Check out Ethan’s Windows 8 blog post, which can be found here: http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2
Speaking of Champlain College, they have a computer forensics program and a blog of the students’ research. In addition to Ethan’s Windows 8 research, the school’s blog has topics on Google Chromebook analysis, MBR Malware analysis, biometric forensics, Android memory forensics, Kindle Fire forensics, and much more. Bookmark this blog, which can be found here:
Here’s a contribution on an aspect of Windows 8 that needed more research from a member of the forensic community:
“Just wanted to thank you for your work on your Windows 8 Forensic Guide. I read through it a few days ago and there’s definitely some interesting and helpful material there. It helps give us an idea of what we might be up against when we start examining these things. I decided to do a little work with the TypedURLsTime subkey to make sure I have a good understanding of it and it’s fairly straightforward, but I figured I would write a blog post about it to help get the word out there and maybe save somebody some research one day.”
Jason did some pretty good research on this subkey, so check out his blog post at Digital Forensics Stream.
First of all, thank you so much for visiting my site, your e-mails, and spreading the word about my work. The overwhelming support has been amazing; for some reason, I did not expect it – but thank you!
A couple of you have been kind enough to point out some minor errors. Paul A. of Digital Detective e-mailed me that he has also been doing some research on Windows 8, but during the course of his research, he did not encounter any index.dat files:
“I’ve been examining Windows 8 myself (developer and consumer previews). In my research, I haven’t found any index.dat files at all – rather the Internet history gets saved in various other files, including some in the ESE DB format. I was just wondering what you did to get index.dat files generated, as I’m having no luck so far…?”
I double-checked my image and there was not a single instance of “index.dat”. The lack of index.dat files is not due to lack of luck, but rather an error on my part of typing on auto-pilot. I can only assume I saw the “dat” extension, even though I read “container.dat”, and typed “index.dat”. So, there ended up being 3 or 4 instances of “index.dat” being mentioned, and if you see “index.dat”, either download the Windows 8 Forensic Guide that has been updated or cross it off if you’ve printed it out (it saves trees)!
The other great thing about Paul (and others!) contacting me is that it’s a great way to verify my research. The e-mail traffic between Paul and I went on for a few days and he also found that his research revealed that the container.dat files in MSHISTdate-date are also 0 byte files. One more thing he also shared was
“Where you see Internet Explorer folders that include the word ‘immersive’, then as you know that indicates you’ve launched IE from that hideous front end! ;-) Try running IE from the more standard Windows desktop using the Quick Launch icon – you’ll find that the Travel log files are created in different folders, that don’t have immersive in their names!”
I hope this helps clear up some confusion (if there was any), and again, thanks again!