Greetings,
I am not sure how many have seen this floating around, in case you missed it, I am passing the link here as well. I recently completed my Grad level Forensic class, and I have posted my research paper on my blog.
It Covers Windows 8 and includes
Some New Registry Values
FileHistory Artifacts
Restore/Recovery Options Artifacts
http//randomthoughtsofforensics.blogspot.com/
I am currently delving into the FileHistory and Restore/Recover Options more and will be updating my blog to reflect this research.
Enjoy, and I would love any Feedback.
Interesting read, nice work sir. With regards to Metro, when you say "instead they keep their information in the respective program folder within AppData", do you mean within a "Metro" folder or within a seperate folder for each item? In which case, is there a file which informs Metro which tiles to display, and in what order?
for the ones in the demo, they are in their own unique folder.
The naming convention for those folders are
microsoft.<appname>_3wekyb3d8bbwe
Within that folder are
INetCache
INetCookies
INetHistory
Temp
For the rest of your question, I did not delve deeper into the metro apps, something that I plan to, but until the functionality of cloudsync/storage is fully operational, there are other areas that interest me.