Hello Reader,
This was an interesting Sunday Funday. I got two good responses that I liked but one seemed to have more information while the other described the details of less artifacts locations in more detail. In the end since it was a general question I went with the one that I thought gave the largest list of forensically relevant artifacts new to Windows 8.
The Challenge:
This was an interesting Sunday Funday. I got two good responses that I liked but one seemed to have more information while the other described the details of less artifacts locations in more detail. In the end since it was a general question I went with the one that I thought gave the largest list of forensically relevant artifacts new to Windows 8.
The Challenge:
What changes have occurred between Windows 7 and Windows 8 that have created new forensic artifacts for examiners to recover and analysis. List as many as you can find with a short description of what they are/mean/do.
The Winning Answer:
Jacob Blend
Refresh points (similar to SRPs in XP, but more like an image to revert to)-these can have wireless network info, bitlocker settings, personalization, metro style)System recovery (refresh to factory state, but personal files can be handled here, in windows.old for instance)Recover or refresh leaves different types of artifactsRegistry values for device insertion, removed and firmware fields (timestamps), CurrentControlSet\Enum\DeviceType\DeviceID\InstanceID\{GUID}\Properties\xxxxFile history services (replacement of VSS) (saving differential changes)Local folder, contains virtualstore-%Root%\Users\%User%\AppData\Localimmersive apps have their own reg filesmetro apps have their own internet artifacts- cache, cookies, and historyinstalled system apps in registryinstalled user account appsIE 10 should count as it is standard, an a supposed upgrade from Win 7 offerings--user pinned tiles-immersive websites visitedCommunication App includes a ton of social networking information-web cache-cookies-user contactsNEW registry info!ELAM- Early Launch Anti MalwareBBI (Browser-Based Interface)Settings.dat (User Profile)NTUSER.DAT artifact TypedURLsTimeSAM artifactsinternet user nameuser's tileISO automount2 Swapfiles (pagefile.sys, swapfile.sys)Storage Pools (resilient storage areas)
Also Read: Daily Blog #273
Post a Comment