Join Us!

Windows 8 Forensics...
 
Notifications
Clear all

Windows 8 Forensics - A First Look  

Page 1 / 2
  RSS
Jamie
(@jamie)
Community Legend

Please use this topic for discussion of the webinar

Windows 8 Forensics - A First Look

presented by Josh Brunty, Assistant Professor of Digital Forensics at Marshall University.

If you encountered any problems viewing the webinar please try the YouTube version here. Additionally, a PDF with slides from the presentation can be found here.

Kind regards,

Jamie

Quote
Posted : 29/08/2012 8:48 pm
4n6art
(@4n6art)
Active Member

Thank you Jamie!
-Art-

Sorry everyone, looks like Meetingburner can't hand the volume - please try the YouTube version at http//youtu.be/uhCooEz9FQs

ReplyQuote
Posted : 29/08/2012 9:13 pm
gmarshall139
(@gmarshall139)
Active Member

I got as far as the mention of "apps" having there own local storage space. Any indication that user data archived will by Windows or will this be up to each app?

Thanks,

ReplyQuote
Posted : 29/08/2012 9:47 pm
brunty11
(@brunty11)
New Member

Hey folks. it's Josh Brunty and I'll be monitoring this message board thread throughout the day for any questions you might have regarding Windows 8…

To those interested, I'd suggest downloading and playing with the newest Windows 8 Release Preview, which you can obtain from Microsoft from the following link

http//windows.microsoft.com/en-US/windows-8/download

Also, here is a TechNet overview of the features to be included in Windows 8 (Microsoft is changing the names of some features again) so this a good repository of those features that are available

http//technet.microsoft.com/en-us/windows/explore-windows-8.aspx

Once again, thanks for the interest in the presentation (so much so we crashed the meeting room).

-Josh

ReplyQuote
Posted : 29/08/2012 9:48 pm
brunty11
(@brunty11)
New Member

I got as far as the mention of "apps" having there own local storage space. Any indication that user data archived will by Windows or will this be up to each app?

Thanks,

Well, Microsoft has constructed the metro app to cache files much like an internet browser caches for quick access to data when it's opened up again. Such caching can be turned off in settings, but I don't know if app developers can do it with a specific app or not. Most of them won't as it degrades and slows the "speed" of their app loading.

This is great for us as it gives us a lot of residual cache data to examine and piece together in a given investigation. However, expect Microsoft to possibly secure this open cache in future service packs to mitigate any security issues that might hijack such cache data…

ReplyQuote
Posted : 29/08/2012 10:15 pm
uriel98
(@uriel98)
New Member

Hi,

If it's not too late i'd like to know a bit more about Windows 8 shadow copy system (compared to windows 7 / Vista)

It seems that it is not in the presentation (after the registry)

Kind regards

Jean-Philippe Noat

ReplyQuote
Posted : 29/08/2012 10:33 pm
soloman
(@soloman)
New Member

Will PsTools work on this Windows 8, as how its been very useful all the while

ReplyQuote
Posted : 29/08/2012 10:34 pm
brunty11
(@brunty11)
New Member

Hi,

If it's not too late i'd like to know a bit more about Windows 8 shadow copy system (compared to windows 7 / Vista)

It seems that it is not in the presentation (after the registry)

Kind regards

Jean-Philippe Noat

Microsoft's VSS Service has been rebranded for Windows 8 to be called "File History." I have a gut feeling that MS will continue to tweak this service from now (the current beta release) until the final release to public version so I'm reluctant to say for sure where artifacts will be in regards to this service (what I found on file history changed from the first beta to the beta released this month).

Back in June, Kenneth Johnson gave a great Webinar via SANS that discussed File History Services, which he briefly discussed what it is, how it’s configured, and its artifacts. This research can be found on a link in his blog or you can click here

https://docs.google.com/file/d/0B3HVXW6sJsoCS09qZjFOUTdvTjg/edit?pli=1

He’s even released his own RegRipper Plugin for the HKU File History key here

https://docs.google.com/file/d/0B3HVXW6sJsoCYWpBSEoySHFsTDg/edit?pli=1

Hope this helps )

ReplyQuote
Posted : 29/08/2012 10:52 pm
brunty11
(@brunty11)
New Member

Will PsTools work on this Windows 8, as how its been very useful all the while

From my experience TechNet's tools usually work well in Microsoft's new OS releases (at least my fingers are crossed that they will). Most of the PStools call data from the registry (and the registry really didn't change significantly from Windows 7 to Windows 8).

You could always download the free beta from Microsoft; install and find out ) if you do, repost here as that tool suite has some pretty cool utilities

ReplyQuote
Posted : 29/08/2012 10:56 pm
jhup
 jhup
(@jhup)
Community Legend

Several time I tried to log into this, and the connection failed. I tried it through several network, and several carriers…

ReplyQuote
Posted : 29/08/2012 10:59 pm
Aardvark
(@aardvark)
New Member

Caught up on YouTube - some interesting points there. Will now download the evalutation version and have a play around.

Thank you for the presentation.

ReplyQuote
Posted : 29/08/2012 11:21 pm
gmarshall139
(@gmarshall139)
Active Member

Thanks for doing the webinar,

I'm going to watch the rest on Youtube. 8 sounds like it has some interesting possibilities.

ReplyQuote
Posted : 30/08/2012 12:24 am
Hwallbanger
(@hwallbanger)
Junior Member

There still seems to be some questions as to where your default created files will be stored.

In the past, since I believe Win95, you could look for where your login's profile's Document folder/directory was located. Then in Win7 came along the development of Libraries.

From what you have explored and read and researched, does the Non-bootable partition known as the Resilient File System have much to do with this ?

In the past, you could pretty much learn where the default file creation was going to be determined by where Microsoft's Office's product was set-up to do. It has always looked to the operating systems default.

Well, in the July newsletter "Windows Secrets" Review of Office 2013 Consumer Review, they found,

When you first install Office 2013 Consumer Preview, you sign in using your Microsoft account (formerly called your Windows Live ID). By default, all the files you create and work with will be saved to SkyDrive (Microsoft Cloud service).

idea

In this review, they did indicate that you can change this to "Your Computer", BUT how many standard users will know to make this change, and does this not make it a primary task to first, in Win8, to learn where the files are DEFAULTLY being stored ?

If it is found that they have not changed this from the SkyDrive, potentially, you then have to go to Microsoft for access to these private files and this could be a legal nightmare ?

Can you shed some light upon this potential discovery ? ?

In your talk, you indicate that Win8 seems to have been changed to be more like a functioning Browser ( sort of following the early changes to pre-EU Commission demanded changes for Win95/8 ). Have you looked into the effect of their use of SkyDrive and how this may have directed some of the direction of their design in your review and use of Win8 ?

I will check back later for any responses. I thank you for your time and effort in this very interesting presentation.

HWallbanger )

ReplyQuote
Posted : 30/08/2012 12:51 am
Hwallbanger
(@hwallbanger)
Junior Member

I would like to also bring to your attention, that the last presented slide (Pg. 25), your audio was very sporadic and a lot of what you had said could NOT be heard OR understood.

Could you possibly provide some links to the related information you were trying to tell us ? This way, with what each of us may have heard, we can go to the resource documents and read and pick-up what we may have missed. idea

Again, Thanks for your time and efforts ! D !

Sincerely, Hwallbanger

ReplyQuote
Posted : 30/08/2012 12:59 am
Jamie
(@jamie)
Community Legend

I would like to also bring to your attention, that the last presented slide (Pg. 25), your audio was very sporadic and a lot of what you had said could NOT be heard OR understood.

My apologies for that. A problem with Skype forced me to dial into the conference bridge on that last slide from a landline and for some reason the recording system didn't like it!

I'm sure Josh will be happy to point you in the right direction as far as resources are concerned.

Jamie

ReplyQuote
Posted : 30/08/2012 3:13 am
Page 1 / 2
Share: