±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 0 Visitors: 121

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 8 Forensics - A First Look

Discussions related to Forensic Focus webinars. Please use the appropriate topic for each webinar.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 


Re: Windows 8 Forensics - A First Look

Post Posted: Aug 29, 12 21:52

- uriel98

If it's not too late i'd like to know a bit more about Windows 8 shadow copy system (compared to windows 7 / Vista)

It seems that it is not in the presentation (after the registry)

Kind regards

Jean-Philippe Noat

Microsoft's VSS Service has been rebranded for Windows 8 to be called "File History." I have a gut feeling that MS will continue to tweak this service from now (the current beta release) until the final release to public version so I'm reluctant to say for sure where artifacts will be in regards to this service (what I found on file history changed from the first beta to the beta released this month).

Back in June, Kenneth Johnson gave a great Webinar via SANS that discussed File History Services, which he briefly discussed what it is, how it’s configured, and its artifacts. This research can be found on a link in his blog or you can click here:


He’s even released his own RegRipper Plugin for the HKU File History key here:


Hope this helps Smile  


Re: Windows 8 Forensics - A First Look

Post Posted: Aug 29, 12 21:56

- soloman
Will PsTools work on this Windows 8, as how its been very useful all the while

From my experience TechNet's tools usually work well in Microsoft's new OS releases (at least my fingers are crossed that they will). Most of the PStools call data from the registry (and the registry really didn't change significantly from Windows 7 to Windows 8).

You could always download the free beta from Microsoft; install and find out Smile if you do, repost here as that tool suite has some pretty cool utilities  

Last edited by brunty11 on Aug 29, 12 22:02; edited 1 time in total

Senior Member

Re: Windows 8 Forensics - A First Look

Post Posted: Aug 29, 12 21:59

Several time I tried to log into this, and the connection failed. I tried it through several network, and several carriers...  


Re: Windows 8 Forensics - A First Look

Post Posted: Aug 29, 12 22:21

Caught up on YouTube - some interesting points there. Will now download the evalutation version and have a play around.

Thank you for the presentation.  

Senior Member

Re: Windows 8 Forensics - A First Look

Post Posted: Aug 29, 12 23:24

Thanks for doing the webinar,

I'm going to watch the rest on Youtube. 8 sounds like it has some interesting possibilities.
Greg Marshall, EnCE 


Re: Windows 8 Forensics - A First Look

Post Posted: Aug 29, 12 23:51

There still seems to be some questions as to where your default created files will be stored.

In the past, since I believe Win95, you could look for where your login's profile's Document folder/directory was located. Then in Win7 came along the development of Libraries.

From what you have explored and read and researched, does the Non-bootable partition known as the Resilient File System have much to do with this ?

In the past, you could pretty much learn where the default file creation was going to be determined by where Microsoft's Office's product was set-up to do. It has always looked to the operating systems default.

Well, in the July newsletter "Windows Secrets" Review of Office 2013 Consumer Review, they found,
When you first install Office 2013 Consumer Preview, you sign in using your Microsoft account (formerly called your Windows Live ID). By default, all the files you create and work with will be saved to SkyDrive (Microsoft Cloud service).

In this review, they did indicate that you can change this to "Your Computer", BUT how many standard users will know to make this change, and does this not make it a primary task to first, in Win8, to learn where the files are DEFAULTLY being stored ?

If it is found that they have not changed this from the SkyDrive, potentially, you then have to go to Microsoft for access to these private files and this could be a legal nightmare ?

Can you shed some light upon this potential discovery ? Question

In your talk, you indicate that Win8 seems to have been changed to be more like a functioning Browser ( sort of following the early changes to pre-EU Commission demanded changes for Win95/8 ). Have you looked into the effect of their use of SkyDrive and how this may have directed some of the direction of their design in your review and use of Win8 ?

I will check back later for any responses. I thank you for your time and effort in this very interesting presentation.

HWallbanger Smile  


Re: Windows 8 Forensics - A First Look

Post Posted: Aug 29, 12 23:59

I would like to also bring to your attention, that the last presented slide (Pg. 25), your audio was very sporadic and a lot of what you had said could NOT be heard OR understood.

Could you possibly provide some links to the related information you were trying to tell us ? This way, with what each of us may have heard, we can go to the resource documents and read and pick-up what we may have missed. Idea

Again, Thanks for your time and efforts ! Very Happy Exclamation

Sincerely, Hwallbanger  

Page 2 of 4
Page Previous  1, 2, 3, 4  Next