Daily Blog #274: Sunday Funday 3/23/14 Winner!

Sunday Funday by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
            This was an interesting Sunday Funday. I got two good responses that I liked but one seemed to have more information while the other described the details of less artifacts locations in more detail. In the end since it was a general question I went with the one that I thought gave the largest list of forensically relevant artifacts new to Windows 8.

The Challenge:

What changes have occurred between Windows 7 and Windows 8 that have created new forensic artifacts for examiners to recover and analysis. List as many as you can find with a short description of what they are/mean/do.

The Winning Answer:

Jacob Blend

Refresh points (similar to SRPs in XP, but more like an image to revert to)
-these can have wireless network info, bitlocker settings, personalization, metro style)

System recovery (refresh to factory state, but personal files can be handled here, in windows.old for instance)

Recover or refresh leaves different types of artifacts


Registry values for device insertion, removed and firmware fields (timestamps), CurrentControlSet\Enum\DeviceType\DeviceID\InstanceID\{GUID}\Properties\xxxx 

File history services (replacement of VSS) (saving differential changes)

Local folder, contains virtualstore

-%Root%\Users\%User%\AppData\Local

immersive apps have their own reg files

metro apps have their own internet artifacts- cache, cookies, and history
installed system apps in registry
installed user account apps

IE 10 should count as it is standard, an a supposed upgrade from Win 7 offerings-

-user pinned tiles
-immersive websites visited

Communication App includes a ton of social networking information
-web cache
-cookies
-user contacts

NEW registry info!
ELAM- Early Launch Anti Malware
BBI (Browser-Based Interface)
Settings.dat (User Profile)
NTUSER.DAT artifact TypedURLsTime

SAM artifacts
internet user name
user's tile
ISO automount

2 Swapfiles (pagefile.sys, swapfile.sys)
Storage Pools (resilient storage areas)

Also Read: Daily Blog #273

Post a Comment