Windows 8, latest version of Microsoft Windows
operating systems, is set to be released to the general public on October 26,
2012. Which was intended to be a more focused, incremental upgrade to the
Windows line, Windows 8 is an operating system "reimagined from the
chipset to the user experience" according to the Windows Design Team.
Windows 8 features a new user interface based on Microsoft's Metro design
language, very similar to features found in the current Windows Phone operating
system (commonly referred to as Windows Mobile). The new metro-style interface
is designed to better suit touch screen and pen input, along with traditional
mouse and keyboard input.
As is the case with any newly released operating
system, new forensic changes and challenges arise. As digital forensic
investigators it is important to address these new changes and challenges with
diligence and understanding. Just like older versions of Windows, Windows 8
contains valuable bits of information known as “artifacts.” The average user is
mostly unaware that the operating system is leaving traces of their activity
behind that is specific to their usage. Knowing where these artifacts are
stored can greatly assist in recreating a particular user account’s history.
With that said, it may be a relief to many investigators out there that Windows
8 retained many of the key artifacts that were present in earlier Windows
operating system builds. However, the immersive experience of Windows 8 also
leans itself to artifacts nonexistent in previous releases. This article will
focus on artifacts exclusive to Windows 8, including registry differences and
artifacts of the new Metro User Interface and Immersive Web Browser.
In this article
will introduce the Microsoft Windows 8 forensic analysis database.
Microsoft windows 8
introduced the application data or you can called AppData. That folder allowed
for forensic investigators to to see that information belonged to the OS and
that information belonged to a specific user. The location of Windows 8 AppData
is in the C:\Users folder, the same place as in Microsoft windows 7.If you
cannot see the AppData folder it could be because it's hidden from view.
Metro App Cache
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCache
Contains Web cache specific to each Metro App.
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCache
Contains Web cache specific to each Metro App.
Metro App Cookies
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCookies
Contains cookie files specific to each Metro App. Data is contained in a text file.
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCookies
Contains cookie files specific to each Metro App. Data is contained in a text file.
Metro App History
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetHistory
Contains Internet history files specific to each Metro App and the format of the data is consistent with previous versions.
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetHistory
Contains Internet history files specific to each Metro App and the format of the data is consistent with previous versions.
All these
folders are named INetCache, INetCookies, and InetHistory contain a wealth of
information and artifacts that may be of importance to the forensic
investigators.
Here one example about how you can extract history
from metro app for this demo i m using Google search.
Google search Metro App History
%Root%\Users\%User%\AppData\Local\Packages\GoogleInc.GoogleSearch_yfg5n0ztvskxp\LocalState
Now you can see file called history.json open with hex editors
IE 10 Web sites Visited (Immersive Interface)
%Root%\Users\%User%\AppData\Local\Microsoft\InternetExplorer\Recovery\Immersive\Active
Internet History
Communication
App Artifacts
Windows 8 is virtually connected to everything; wherever you sign in, it’s connected. E-mail is connected to Facebook, Facebook is connected to the photo album, and the photo album is connected to the Microsoft account, which allows the user the ability to transfer many of the settings of the UI and immersive browser from PC to PC. The operating system is built around the premise of the recent social media revolution, with many of the newer features focused around such communication. The Communications App, as coined by Microsoft, includes the user’s e-mail, chat clients such as Windows Live and AIM, Facebook, and other social networking sites (e.g. Twitter). Anything that can allow the user to interact with another person appears to fall under “Communications Apps.” Each communication app has its own Web cache.
Communication
App Web Cache
%Root%\Users\%User%\AppData\Local\Packages\microsoft.windowscommunicatisapps_8wekyb3d8bbwe\AC\INetCache
%Root%\Users\%User%\AppData\Local\Packages\microsoft.windowscommunicatisapps_8wekyb3d8bbwe\AC\INetCookies
Communications Apps offline email and
Contacts from
%Root%\Users\%User%\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Indexed\LiveComm\de425268464fa2fe\120712-0049
Windows 8
Registry
Registry is a tool intended
for advanced users. It's used to view and change settings in the system
registry, which contains information about how your computer runs. Windows
refers to this information and updates it when you make changes to your
computer, such as installing a new program, creating a user profile, or adding
new hardware. Registry Editor lets you view registry folders, files, and the
settings for each registry file.
Mounted
USB Devices
HKLM\SYSTEM\CurrentControlSet\Enum\USB\
Conclusion
In this
article, we’ve seen that, when conducting a windows 8 forensic . The goal of
this articles teach you about windows 8
forensic is to do a structured investigation and find out exactly what happened
in a digital system and who was responsible for it. There is still a lot of
research that must be done in order to improve windows 8 forensic that we going
to cover in my upcoming articles.
About The Author:
Nikhaleshsingh bhadoria. He is Cyber Security Expert, Ethical Hacker, Penetration Tester and tech geek.
0 comments:
Post a Comment
Note: only a member of this blog may post a comment.