Windows 8 Forensics Analysis Database [Tutorial]

Windows 8, latest version of Microsoft Windows operating systems, is set to be released to the general public on October 26, 2012. Which was intended to be a more focused, incremental upgrade to the Windows line, Windows 8 is an operating system "reimagined from the chipset to the user experience" according to the Windows Design Team. Windows 8 features a new user interface based on Microsoft's Metro design language, very similar to features found in the current Windows Phone operating system (commonly referred to as Windows Mobile). The new metro-style interface is designed to better suit touch screen and pen input, along with traditional mouse and keyboard input.

As is the case with any newly released operating system, new forensic changes and challenges arise. As digital forensic investigators it is important to address these new changes and challenges with diligence and understanding. Just like older versions of Windows, Windows 8 contains valuable bits of information known as “artifacts.” The average user is mostly unaware that the operating system is leaving traces of their activity behind that is specific to their usage. Knowing where these artifacts are stored can greatly assist in recreating a particular user account’s history. With that said, it may be a relief to many investigators out there that Windows 8 retained many of the key artifacts that were present in earlier Windows operating system builds. However, the immersive experience of Windows 8 also leans itself to artifacts nonexistent in previous releases. This article will focus on artifacts exclusive to Windows 8, including registry differences and artifacts of the new Metro User Interface and Immersive Web Browser.

In this article will introduce the Microsoft Windows 8 forensic analysis database.

Microsoft windows 8 introduced the application data or you can called AppData. That folder allowed for forensic investigators to to see that information belonged to the OS and that information belonged to a specific user. The location of Windows 8 AppData is in the C:\Users folder, the same place as in Microsoft windows 7.If you cannot see the AppData folder it could be because it's hidden from view.

 

Metro App Cache
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCache
Contains Web cache specific to each Metro App.

Metro App Cookies
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCookies
Contains cookie files specific to each Metro App. Data is contained in a text file.

Metro App History
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetHistory
Contains Internet history files specific to each Metro App and the format of the data is consistent with previous versions.

All these folders are named INetCache, INetCookies, and InetHistory contain a wealth of information and artifacts that may be of importance to the forensic investigators.

Here one example about how you can extract history from metro app for this demo i m using Google search.

Google search Metro App History

%Root%\Users\%User%\AppData\Local\Packages\GoogleInc.GoogleSearch_yfg5n0ztvskxp\LocalState 

Now you can see file called history.json open with hex editors

IE 10 Web sites Visited (Immersive Interface) 

%Root%\Users\%User%\AppData\Local\Microsoft\InternetExplorer\Recovery\Immersive\Active

Internet History

 

Communication App Artifacts

Windows 8 is virtually connected to everything; wherever you sign in, it’s connected. E-mail is connected to Facebook, Facebook is connected to the photo album, and the photo album is connected to the Microsoft account, which allows the user the ability to transfer many of the settings of the UI and immersive browser from PC to PC. The operating system is built around the premise of the recent social media revolution, with many of the newer features focused around such communication. The Communications App, as coined by Microsoft, includes the user’s e-mail, chat clients such as Windows Live and AIM, Facebook, and other social networking sites (e.g. Twitter). Anything that can allow the user to interact with another person appears to fall under “Communications Apps.” Each communication app has its own Web cache.

Communication App Web Cache

%Root%\Users\%User%\AppData\Local\Packages\microsoft.windowscommunicatisapps_8wekyb3d8bbwe\AC\INetCache

 

Communication App Cookies

%Root%\Users\%User%\AppData\Local\Packages\microsoft.windowscommunicatisapps_8wekyb3d8bbwe\AC\INetCookies

 Communications Apps offline email and Contacts from

%Root%\Users\%User%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Indexed\LiveComm\de425268464fa2fe\120712-0049

Windows 8 Registry 

Registry is a tool intended for advanced users. It's used to view and change settings in the system registry, which contains information about how your computer runs. Windows refers to this information and updates it when you make changes to your computer, such as installing a new program, creating a user profile, or adding new hardware. Registry Editor lets you view registry folders, files, and the settings for each registry file.

Mounted USB  Devices

HKLM\SYSTEM\CurrentControlSet\Enum\USB\

Conclusion

In this article, we’ve seen that, when conducting a windows 8 forensic . The goal of this articles teach you about windows 8 forensic is to do a structured investigation and find out exactly what happened in a digital system and who was responsible for it. There is still a lot of research that must be done in order to improve windows 8 forensic that we going to cover in my upcoming articles.

About The Author: 

Nikhaleshsingh bhadoria. He is Cyber Security Expert, Ethical Hacker, Penetration Tester and tech geek.