How to recognize a Windows 8 system?

I'm really surprised by that…I keep getting LinkedIn connection requests from people who want to connect with me for no other reason than they follow my blog…so I kind of thought everyone caught this…

http//windowsir.blogspot.com/2012/11/forensic-scanner-has-moved.html

My employer made me move the Forensic Scanner to the corporate GitHub site.

that right. i remember reading that now. confusion because the link posted went to the google code page, and googling "carvey forensic scanner" doesnt clear it up.
maybe put a link on the google code page to redirect?

cheers

Again, people keep telling me, "…I follow your blog…"…

OK, found some answers

1- The "System Reserved" partition is larger on Windows 8 (350 MB) than on Windows 7 (200 MB).

2- The file structure is pretty much the same, except that the Modern apps each have a folder under the following path \\Users\<username>\AppData\Local\Packages.

…except that the Modern apps each have a folder under the following path \\Users\&lt;username&gt;\AppData\Local\Packages.

Can you share where you found these answers?

The course manual from AccessData Windows 8 Forensics Training.

As ReFS isn't available yet, the file system will most likely be NTFS.

OT, but not much, yes and no.
Yes, the filesystem will be 99.9999% NTFS but no, ReFS is seemingly already available (with some fiddling and caveats, but possibly a good subject for initial reasearch)
http//reboot.pro/topic/15466-refs-formerly-protogon-in-windows-8-the-new-filesystem/

jaclaz

OT, but not much, yes and no.
Yes, the filesystem will be 99.9999% NTFS but no, ReFS is seemingly already available (with some fiddling and caveats, but possibly a good subject for initial reasearch)
http//reboot.pro/topic/15466-refs-formerly-protogon-in-windows-8-the-new-filesystem/

Following the link and reading the page several times, I doubt that you're going to see a home or corporate user go back and get a copy of the Developer Preview, go through these steps and end up with a working, functioning copy of Windows 8 on ReFS/Protogon.

As far as I know ReFS only made it into the server variant of Windows 8, which now should be Windows 2012 server.

For those willing and able to do the hard work on the file system give Willi Ballenthin and/or me a mail
http//code.google.com/p/libfslibs/downloads/detail?name=Resilient%20File%20System%20%28ReFS%29.pdf

I have not encountered a Windows 8 system yet.

Have you tried downloading an evaluation installation of windows 8?

FYI, I also contacted Guidance and they said that Windows 8 analysis will be supported in v7.06. Windows 8 installation will be supported "in an upcoming release of V7". ReFS is not supported and the do not know when it will be. No support for Windows 8 in EnCase 6.

No idea what you or Guidance mean with support of Windows 8? Does it mean you can run EnCase 7 on Windows 8? Who knows maybe they are going for a tablet version 😉

Are they supporting one or more of the following features introduced in Windows Vista by now?
* VSS
* Windows Search
* TxF (Transactional NTFS)
* TxR (Transactional Registry)

I doubt that you're going to see a home or corporate user go back and get a copy of the Developer Preview, go through these steps and end up with a working, functioning copy of Windows 8 on ReFS/Protogon.

Yep, that will be the excluded 0.0001% wink

BUT it seems like it is alright there in the Server version.

AND the (bad) news - still somewhat off-topic, and most probably not even really "news" - are that programmatically to distinguish recent MS OS's (since Vista) has been made more complex, see
http//msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx

jaclaz