Windows

 

Windows 8 Forensics

Ethan Fleisher

Senator Patrick Leahy Center for Digital Investigation

Internet History

Google Chrome History – Google Chrome History is stored within <root>\users\<username>\appdata\local\google\chrome\user data\default.  After exporting this information out, I loaded it into a tool called Chrome Analysis Plus.  The following image depicts the information that I was able to obtain from Google Chrome browsing history.

Mozilla Firefox History – Firefox history is stored within <root>\users\<username>\appdata\roaming\mozilla\firefox\profiles.  After exporting this information, I loaded it into Fox Analysis, a tool that works very similar to Chrome Analysis.  The following image depicts the information that I was able to obtain from Firefox browsing history.

 

Microsoft Internet Explorer – Within Windows 8, a new version of Internet Explorer is introduced.  This version, Internet Explorer 10, has many different  features such as:

Temporary internet files are stored within <root>\users\<username>\appdata\local\microsoft\windows\temporary internet files.  Within this folder, there is a subfolder Low that contained all the TIF files for the browsing that I did.  This is slightly different from Windows 7 where the files were not forced into the low folder.

 

TypedURL's is still in the same spot in NTUSER.DAT, as well as another key called "TypedURLSTime" which contains hex values that, when put through DCode, correctly reflect the time that the URL was typed.

 

 

Within Windows 8, Internet Explorer history is presented in a different manor due to the IE10 update.  As of this writing, there is no support for IE 8/9 on the Windows 8 operating system.  Because of this, conventional means of internet history has changed. 

Cookies, in windows 7, are stored in two places, one of which is with temporary internet files, and the other being <root>\users\<username>\appdata\roaming\microsoft\windows\cookies\.  The image below depicts this:

 

 

In Windows 8, cookies are located in a slightly different location, <root>\users\<username>\appdata\roaming\microsoft\windows\cookies\low, as shown below:

 

Traditionally, in Windows 7, Internet Explorer files are stored within <root>\users\<username>\appdata\local\microsoft\microsoft\windows\history contained in index.dat.  The image below depicts this:

 

 

 

 

On Windows 8 in the same location, <root>\users\<username>\appdata\local\microsoft\microsoft\windows\history, index.dat files are no longer there.  Instead, this folder holds container.dat which is consistently empty.

 

 

With traditional methods of internet history not being present, I was forced to look for web history in other areas.  In order to do this, I did keyword searches for websites that I visited while on internet explorer.  After reviewing the hits that occurred, I found that WebCacheV24.dat contains a majority of the information that index.dat previously did.

 

 

 

Internet history hits within webcachev24.dat  This list of website hits occurs within the file at offset 1902336 and reflects accurate timestamps for website visits.

This file offset is consistent to similar start points in webcachev24.dat in other VM’s that I have created.  The first website generally occurs within a few thousands bytes of file offset 1900000.

 

However, this is not the only area that web history is found at.  Much further down into the file, at offset 5046834, a second list of websites is found that reflect accurate timestamps.  This list, however, is more unclear with what it is providing and in some instances doesn’t necessarily follow chronological order.

 


The timestamp, in both of the above instances, is an 8 byte hex value located 36 bytes prior to the notation indicating “visited: forensicator @ website”.





 

For the next part of this project click here: Windows 8 Forensics Part 3

If you have any comments, questions and/or suggestion please feel free to leave a comment here on the blog. Or feel free to email us atLCDI@champlain.edu, with "Windows 8 Forensics" in the subject.

Windows 8 Forensics

Ethan Fleisher

Senator Patrick Leahy Center for Digital Investigation

 

Overview

Today I am starting the preliminary research on the Windows 8 Operating System from a Digital Forensics standpoint. I will be comparing it primarily to known information on the Windows 7 Operating System. There are going to be many items that I am looking at, and any comments with suggestions for further things to look into would be appreciated. Topics so far include:

  • Recycle Bin Properties

  • USB Drive Activity

  • Internet History

  • Windows 8 Reset and Reload Feature

  • Event Logs

  • Prefetch Files

  • Jump Lists

  • File History Feature

As I dig into these topics, there is likely to be a large amount of information that will be discovered. It is important to remember, though, that some of these topics may yield little to no differences.

Purpose

The purpose of this project is to determine key differences between the Windows 7 and Windows 8 operating system from a forensic standpoint in order to determine if there are any significant changes that will be either beneficial or detrimental to the forensic investigation process.

Version:1.0 StartHTML:0000000167 EndHTML:0000003071 StartFragment:0000000747 EndFragment:0000003055 Version:1.0 StartHTML:0000000167 EndHTML:0000002862 StartFragment:0000000747 EndFragment:0000002846

Preliminary Tool List

  1. Encase 6.19 Law Enforcement Edition -

    http://www.guidancesoftware.com/forensic.htm

  2. Forensic ToolKit Imager 3.0 -

    http://accessdata.com/support/adownloads

  3. Forensic ToolKit 1.81.6 -

    http://accessdata.com/support/adownloads

  4. Mandiant Web Historian -

    http://www.mandiant.com/products/free_software/web_historian/

  5. Net Analysis -

    http://www.digital-detective.co.uk/netanalysis.asp

  6. DCode -

    http://www.digital-detective.co.uk/freetools/decode.asp

  7. RegDecoder -

    http://www.digitalforensicssolutions.com/registrydecoder/

  8. Internet Evidence Finder -

    http://www.jadsoftware.com/?page_id=1083

Recycle Bin Properties

With this part, I am testing the recycle bin properties of Windows 8 to see how they compare to Windows 7. In Windows 8, the Recycle bin, using forensics tools, consists of $Recycle.Bin, $R, and $I files.

  1. Created “I wonder if this will appear“ at 10:14

Deleted “I wonder if this will appear“ at 10:14

  1. Created “test document.txt“ at 10:22

Deleted “test document.txt“ at 10:23

  1. Created “lets try this” at 10:40 – filled it with text, 36.5 mb

Deleted “lets try this“ at 10:40

Recycle Bin in EnCase still has $Recycle.Bin and $I files. There are still $R files, but they do not show up directly in the $Recycle.Bin folder.

Located and verified times of “test document”, “lets try this”, and “I wonder if this will appear” to be accurate to what I recorded when creating/deleting originally.

Verified hex values for $I files in comparison to known Windows 7 values.

Bytes 0-7 are still the file header, always 01 followed by seven sets of 00.

Bytes 8-15 are the original file size, stored in hex, in little-endian. This can be converted into big endian format and converted with a hex calculator to a decimal notation to determine the size in bytes. I tested this with the “Lets try this” document that was 36.5mb. The hex value in encase was F0 E2 39 02, read in little endian. Converting this into big endian yields 02 39 E2 F0, which ran through a hex calculator shows that it is 37348080 bytes, which is roughly 36.5mb

Bytes 16-23 reflect the deleted date time stamp, represented per normal standards (number of seconds since Midnight, January 1, 1601).

Bytes 24-543 reflect the original file path/name.

The next step in the process

USB Drive Activity

To start with Windows 8 USB drive forensics, I assumed it would be pretty similar to Windows 7. I booted up a fresh new Windows 8 VM and plugged a thumb drive into my local system. Like normal, the VM recognized it as it should. At this point I shut the VM down and opened it up in EnCase to look at what was happening. Most of the findings were pretty similar to Windows 7 USB forensics. For example,

Mounted devices tab:

System\currentcontrol\enum\usbstor:

Setupapi.dev.log:

Software\microsoft\windows portable devices\devices – friendly name link:

This shows that forensics of USB thumb drives in Windows 8 is very similar to Windows 7 forensics. There may be new potential keys that are created, but for what is necessary to prove that a thumb drive was plugged into a system and when it was first plugged in, this is necessary.

 

 

For the next part of this project click here: Windows 8 Forensics Part 2

If you have any comments, questions and/or suggestion please feel free to leave a comment here on the blog. Or feel free to email us atLCDI@champlain.edu, with "Windows 8 Forensics" in the subject.