Windows 8 Forensics – A First Look

Presenter: Josh Brunty, Assistant Professor of Digital Forensics, Marshall University

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Jamie: Welcome, everyone, to this latest Forensic Focus webinar! As always, my name is Jamie Morris, and I’m delighted to be joined today by Josh Brundy, Assistant Professor of Digital Forensics at Marshall University in West Virginia.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Josh is going to be giving us today a first look from a forensic perspective at Windows 8. Now, as far as I’m aware, the official release date for Windows 8 is currently towards the back end of October. So although developers, IT professionals, Microsoft partners and so on will already have had their hands on the final product by the time this presentation goes out, we at the forensic community have probably got around two months or so to try to get up to speed with Windows 8 before it goes on sale to the general public. I’m sure this presentation will help us do that, and I’m very grateful to Josh for agreeing to come on today and share the results of his research with us.

Just one last thing before we begin – we’re taking a slightly different approach this month to questions and answers. There’s not going to be a live Q&A during a presentation itself, so if you do see the Ask A Question button on your screen, please just ignore it. What we’re going to do instead is move to the Forensic Focus forums once the presentation is finished, and there will be a thread in the New Webinars forum, which we can use for discussion, and Josh will be around immediately after the presentation to answer any questions. It’s not quite as immediate as running a live Q&A during a webinar, but it’s probably a better way of both extending and archiving the conversation once the presentation is over.

Okay, without any further ado from me then, Josh, if you’re still on the line, I’ll hand over to you right now. Thank you.

Josh: Absolutely. Thank you, Jamie. Once again, I’m Josh Brundy, Assistant Professor of Digital Forensics here at Marshall, and much thanks to Jamie for letting us come on and share our research here, what we’re doing here at the university. A very exciting time for us in regards to what we’re doing here. Wonderful support from the university to allow us to do this, and one of the things that we do here is we try to at least share the information that our students come up with, that we come up with, and disseminate that to the e-discovery and law enforcement communities. Because this is an extremely big change from previous versions of Windows. This is relatively new, you know there is some changes here that will go away, but we do hope that you take something away from this, and of course as Jamie mentioned, we’ll definitely be happy to answer your questions.

So, a few things that we’ll talk about during this webinar today, is of course an operating system overview, what Windows 8 is all about, what we’re calling the Metro Interface from my understanding changed when… it’s changing the nomenclature a little bit, we’ll talk a little bit about that, but the whole Metro Interface is a big change, not only on the front end of what we’re viewing but also what going to be [unclear] as well. We’re looking at a very networked operating system now, than what we were used to in previous versions. So we’ll talk a little bit of how the OS interacts with external accounts such as Facebook and Twitter and some of the other sharing sites that are common on the internet now. I’ll mention a little bit of file structure and show you what some of the stuff looks like in FTK, there are some screenshots in this presentation… and talk a little bit about the forensic artifacts that we can gather from Windows 8 as a whole. One of the newest things that’s coming out is Immersive Browser Artifacts and of course any operative system presentation would not be complete without some discussion of registry artifacts. I hate to break it to everyone, but Windows, Microsoft in general, is keeping the registry around, and it doesn’t look like it’s going anywhere anytime soon. So we’ll speak a little bit about the changes in the registry that are coming down the line.

Also, we’ll spend a little bit of time – and this is something that I would like to gather some discussion on the message board as well – of this resilient file system which is supposed to be kind of a replacement to the NTFS file system, and I guess you could sort of [unclear] as well, but primarily made for a replacement to NTFS. So I’d like to get a little bit of discussion started on that, because that’s gonna be a big change for us as examiners, so how we’re going to encounter that.

So to give a quick overview about Windows 8, it’s of course the newest operating in Microsoft’s line of OSes. It’s set to release in late 2012. As of Sunday I believe, they just released their RTM (release to manufacturer) version, there were two previous versions prior to that. Now the version that I’m working off of was the Release Candidate 1 basically, so this is actually one build behind, which is the version that came out, I believe it was June 5. So we’re already behind, this is, kind of, I wouldn’t say stale information, but we’re also one build behind. The newest release is due out in October of 2012, specifically after the 26th. So once that is released we’ll probably dissect that version of the OS because we’re pretty static on what artifacts are going to be there, and maybe keep this discussion going on what is changing in this.

But the big thing is, we’re looking at a new Metro-style interface, which Windows is terming as Modern now, rather than Metro. They’re claiming that “Metro” was the codename. What they’re saying is Metro-style now is going to be Modern in October, and it was designed primarily for touch-screen, mouse, keyboard, and pen input. So it looks a lot like the current Windows Mobile version that is out right now. I’m going to shoot up a screenshot of Windows 8 as it currently looks, and as you can see it’s a little bit different from previous versions Windows XP, Vista, and 7. You’re looking at more of a tiled interface, so it’s basically – you can see that they’re gearing it more towards the tablet PC or the touch PC market. To me it looks like they’re to merge the mobile market together with the PC market, eventually try to make one unified operating system, at least it looks like that to me. As you can see, there’s various tiles on there. You can see up there at the top and the center is a Photos tile, there’s a People tile, a Messaging tile… we’ll talk a little bit in detail about what these tiles actually are and the artifacts that are located within these tiles in general. It is a little bit different than what we’ve seen in Windows 7. So this version of Windows, even though the release-to-manufacturer is free for download, I would strongly recommend taking this up from MSDN Microsoft and play around with it a little bit. Just, even for your own curiosity, to get a feel of what Windows 8 is going to be like, because of course we’re going to be moving into it soon. So as examiners, and as standard users it’s probably good to pick that up and get used to it at least from a certain perspective.

Now, one of the things that I’ll bring up here – a lot of the stuff, a lot of the artifacts that I’ll be bringing up here shortly is coming out of what I call the Local folder. If you remember Windows 7, and even Windows Vista and XP, there was that Local and Roaming profiles that were available, and each of them had their certain forensic artifacts. Most of the stuff that we’ll be talking about for the sake of this presentation comes out of the Local folder, and of course there’s a screenshot there from FTK, and it’s not a really big change from Windows 7, it’s just we have some different folders within that Local profile, that we haven’t seen in previous versions of Windows, specifically Windows 7.

So one of the things that they really changed in Windows 8, that wasn’t prevalent in Windows 7, was the inclusion of Metro apps, and those Metro apps are displayed on the Metro desktop. So I was referring to those tiles – each of those tiles in a sense is its own Metro app. So thinking about maybe not so much as a program or an installed program on a PC, but think of it more… let’s go into the world of Apple and Android, where you’re adding apps into the operating system. They’re not considered programs, they’re applications. That’s what Windows is trying to do with Windows 8, they’re trying to re-coin that terminology that these programs that we’re installing are essentially apps. So each app has its own tile, which is essentially nothing more than a link file, that’s associated with them, and it’ll display who created that app and the app’s location. Now, this data is basically located in plain text, under the hood of the operating system. And for the sake of time, we’re not really gonna dive that deep into where a lot of the stuff is located, but just kind of hit the highlights of what we’re seeing.

Now, one of the things, and you can see that in red text here, that what we call the “Immersive App”, which is the Metro App, has its own registry file. So what I’m saying there is, you’re looking at programs in Windows 7 and Windows XP, they basically generated their own registry settings, they had their own stuff inside of the registry. Now, consider that the Metro Apps in a sense kind of has its own embedded registry in each application. So, as we move on in this presentation, you’ll kind of get a better understanding of what I’m trying to tell you here. I know that for some of you that may be kind of foreign, you’re probably lost there. I promise I’ll try to clear that up. I’m not the best with words, so we’ll just kind of move along here and kind of see what we’re looking at.

Now, when I talked about the link files in general, going back to the tiles themselves, there are application shortcuts that are in there, and I have a screenshot from FTK that gives you an idea of what you’re looking at. So if you remember, going back to the screenshot of Windows 8, some of these tiles looked familiar to you. You probably saw right in the center there, the Pinball FX 2 tile that was located there. So notice that these are pretty much, they look a lot like the [.lnk] files that we previously saw when we created shortcuts on the desktop. It’s just pretty much the same thing, we have application shortcuts that are being created for each one of these tiles that are being generated on the home screen of Windows. So kind of a change there from previous versions, what we’re seeing, but pretty much the same premise in general.

So let’s go in to and dive a little bit into the Metro Application artifacts. [What I mean by Metro App is] each one of those tiles that we install. SO a majority of these apps in Windows 8 are connected to the internet with a Windows Live, what we call a Microsoft account. I use Windows Live because that’s what it was currently called, but Microsoft has coined that to be called Microsoft Account now. And each of these apps is pretty much considered to be what Windows calls an “immersive” environment. So when we term the coin immersive, it’s when we’re clicking on that tile, we’re bringing it up, we’re having multiple apps open at once, it’s what we call an immersive environment. What we mean by immersive is, within each app you can access other apps. So Microsoft says that in a sense that app becomes the operating system, and that’s a little bit different than having a program running on top of the operating system. What they’re trying to do is they’re trying to make that app kind of a front page of news that you’re look at for that specific time. Going back, and this is really almost an Apple thing, [unclear] the front page of it, you don’t really shut down that app. You’re minimizing that app, you’re putting that app in the background and you’re accessing another app, without closing that original app. And that’s what Microsoft’s doing here. Well, because of this immersive concept, because we’re trying to keep multiple programs open at once, each of these applications are going to have a ton of Internet artifacts. So that is interesting in itself, and that’s the reason I put it in red. This is going to be extremely useful to us. Now, I don’t know if that’s gonna be the same when the final release version comes out in October. I don’t see how it can not be, so that’s why I’m including it at least in this presentation, of saying that this has its own internet artifacts.

So three specific locations that we want to talk about here, where these Metro Apps are located, we have the cache, cookies, and history – now this is legacy from previous versions of Windows. You know, if you look in Internet Explorer, there’s three places that you’re looking – cache, cookies, and history. This is a little bit different. [Each Metro app], regardless of it’s the Microsoft X-Box Companion, or Internet Explorer, or a weather app from the weather channel, it’s going to have this cache, cookies, and history, because it’s considered immersive in general. Now, notice that I’ve included the path there for you that says, I just included “MetroAppName”. So, that general Metro App Name is going to be whatever Metro App, you know, title that’s going to be… right now it’s located in the sub-folder called AC, and there’s three specific locations. The very top one is INetCache, and you can see on the second one there’s an INetCookies and an INetHistory. Now, the INetCache of course, that’s the web cache that’s specific to that specific Metro App. So if we’re looking for weather, say, in [unclear] Huntington, West Virginia, that cache is going to cache that data, that I included, or at least that I looked up the weather in Huntington, West Virginia. There’s also cooking files that are specific to that Metro app, and that data right now is contained in a text file, almost like a Metro App web history kind of deal. And then you’re looking at Metro App history, which is the INetHistory folder, and that is pretty much history files that are specific to the Metro App, and the format of the data is consistent with previous versions, so you’re almost seeing what you saw in IE 7 and 8 and versions of Windows 7, except you’re looking at it for this specific application. So, a little bit different there, a little bit different direction that Windows is taking with Windows 8 in that regard.

Now, here’s another one to take into consideration, and I don’t know if this is going to be in the October released of Windows 8, but right now we’re dealing with two separate versions of Internet Explorer 10. Right now we have the immersive, which is the tile version that you have, and in the released versions of Windows – I don’t know if this is the case for the newest one, this is something we’ll probably bring up on the discussion boards – is, did the desktop interface stick around? And one of the things is, right now we have two separate versions of Windows. You have the legacy, desktop version that we’ve included, or you can jump over to this, you know, immersive, that I included the screenshot earlier. So right now there’s two separate versions of IE10 in a sense – the immersive and desktop. And I’ve included the artifacts from that browser for both the immersive, which is the first one listed, and the desktop IE, so where that history is located. So that’s the website the user visited while browsing with IE 10. Now, there’s also tiles that you can pin as favorites as well, so if I were to bookmark forensicfocus.com as a favorite tile, those roaming would show up there, that I’d pin down as a tile, within that folder there. So that seems to show up for both the desktop and the immersive. So you have two separate versions that are kind of like, I guess, swamping artifacts in a sense. So I don’t know if this is going to stick around in later versions of IE, I just down know. It’s kind of wonky, it doesn’t make sense, I don’t know why Microsoft will continue on with this kind of setup, but of course that’s what we’re looking at now.

One of the big things that changed in Windows 8 of course, and we’ll talk about it a little bit in detail, is a Communication App. And that is when we’re [coining] Communication App, that is essentially the user’s email, chat clients, Facebook, other social networking sites like Twitter, pretty much anything that allows the user to interact with another person, Microsoft is throwing into the Communication Apps. My sneaky suspicion, in everything that I’ve read, when the final version of this is released, they’ll probably lump all this into an app called People. I don’t know how that exactly is going to look, but from everything I’m reading, Communication App is probably going to become what we call People. So I really don’t know at this point, but from every indication this is what it is right now.

You can see if I go into the People app right now, this is our Marshall Digital Forensics, this is a Twitter page that we have set up, and you can see that this is kind of lumping in Twitter, it’s lumping in Facebook updates, I can basically follow Facebook status updates, Twitter status updates, friends that I’m following, everything is being lumped into here. Now, the good thing about this is all this Facebook stuff is being, it’s almost like an RSS feed, it’s feeding in, it’s posting, but as it posts it also caches. Now, go back to previously what we talked about, not only does the IE or Xbox Companion have cache artifacts, the People app also has cache artifacts. So the things that made it so hard to view Facebook artifacts before may make it a little bit easier for us to find these artifacts in the cache history that’s in Windows 8, so that’s a good thing for us. We’re able to pull back Twitter messages that we would have to go the search warrant route before, or Facebook messages, communication that we would have to go through the legal channels before, is now being cached upon that computer. So in some cases, this may save a little additional legwork on the law enforcement end, or even the e-discovery end, about the way or the methodology that Microsoft is using in this People application. So, how very interesting.

And you can see here too, these are Twitter and Facebook contacts that have been added. What we did is we had some fake Facebook profiles, we had a fake Twitter profile, and what happened when we created that is these people were just lumped into the People application, so you can see there, some people that we started following on Twitter mixed in with Facebook friends. So that’s the whole unified application that we’re gearing towards here. Very interesting. You’ll see down the bottom right hand corner, if it’s not too blurry, it shows what we’re connected to. We’re connected to Microsoft, we’re connected to Facebook, Twitter, and Google+. So we’re also connected to Gmail or email, it pulled our Gmail contacts into this People app as well. So it may be kind of hard to show, okay, was this person a Facebook friend, was it a Google+ person, or was he a Twitter person. It’s going to be kind of hard to tell that, but at least we have some caching information there, that they, the web was established, that they may have been friends. So, very interesting.

I did include the Communication app artifacts, as you can see there’s a Communication app web cache and cookies. Of course it all comes down to that INetCache and INetCookies folder. There is an INetHistory folder, but it doesn’t really log in much, nothing really… didn’t really get it to populate much information, but there is cache and cookies for communication apps, so we’re able to pull a plethora information from there, or the potential to pull a plethora of information from there.

We also have user contacts that you can pull from the communication apps. Now, hang with me here, I don’t know if this is going to be true for the final version of Windows 8, but within the communication apps, each contact that I showed you in that screenshot earlier has what we call, you can see at the end of this long string of text here, the gobbledygook here, the edb###.log. So when user content is dumped into this People application, there’s a .log file that is created that will tie a specific user tile and a specific user to a contact and picture basically, so it knows where to feed from. Now, one of the things that I’m trying to do some further research on is how is Windows knowing to pull that information from Twitter. That’s stuff that we’ll have to dig a little bit deeper on as these final release versions are coming out, to see exactly how these user contacts are interacting. At this point, I [just] know where it’s located, and know that that’s sort of a .log file.

You can see that there’s a user tile associated with Contact and I don’t really have a hands-on demo to show you here, but you can see here that long string of text, if you were to follow that, it goes back to the user’s Windows Live email address. So that’s part of that text string. You’re looking at the AppCurrentVersion, DBStore, and UserTiles, so all those user tiles are numbered numerically. [unclear] back to that specific number and then match it to that log file that I showed you in the previous slide. So, the interesting part about that is we can match Twitter and Facebook postings to a specific tile, so if a suspect is saying, “I don’t know that person” or “I’m not friends with that person”, but within the Communication app there’s artifacts that are cached and that say otherwise. Or there’s a person we were able to [unclear] another person’s PC, and they deleted it within their online Twitter account, but with this cache on the PC itself, we may be able to tie that [unclear]. So it is kind of complicated in a sense but we do have that luxury to be able to associate a tile with a contact and specific postings back to a certain contact. It just hard to determine where it came from at this point.

So, with that being said, I wanted to mention a little bit more about the Windows registry. There are some significant changes in there that we see. However, if you were to dig a little deep into Windows 8 and look under the hood, you’ll notice that the traditional registry files are still present. That’s a good sign for us – the SAM, SYSTEM, SOFTWARE, AND SECURITY files are still there, they’re still intact, they look exactly like they did, back in the Windows XP, Windows 2000 days. The same artifacts are being put there, there are still NTUSER.DAT files for each user that’s generated. So Windows is pretty much doing the same thing registry-wise under the hood. However, there are some new stuff that’s located in there. Now, one of the [new] things that we were able to see right off the bat is there are some new registry files in Windows 8, one of them is the Early Launch Anti-Malware, the ELAM. One of the things about that that they’re looking at, is this is kind of a new coining of what we knew previously as Windows Center [gap] anti-malware client and a lot of that information is going to be logged in that Early Launch Anti-Malware registry key. I don’t know at this point, this is almost like a placeholder for probably later versions of Windows, maybe even server versions of Windows. There’s just not a lot going on in that ELAM file right now to say a whole lot about it. We also have a BBI, which is a browser-based interface. Now, this BBI, you’ll see used more later on in later versions as the Metro internet browser, you know, [unclear] IE10, what we know it as now, continues to evolve. So they’re sending us out a registry key for that browser based interface, to log information in the future. We also have a SETTINGS.DAT. Now this is how the reiteration of some older Windows legacy technology that we see, but that is more of a user profile registry key. As I see in, there’s a lot of research being done in Windows 8, I believe John [Barbara] is doing some stuff on Windows 8 registry as we speak. I didn’t really dive that deep into it, but he’s starting to put out some stuff on Windows 8 registry himself. Stay tuned, a lot of people are going to dissect this and really do a lot of stuff with this. For the sake of this presentation, you can almost do a whole presentation on Windows 8 registry artifacts itself that covers a lot of specific keys. I’m just going to touch on a few of the ones that stick out initially.

One of the things that I noticed in the NTUSER.DAT file was one of the legacy keys that we saw in previous versions was TypedURLs, which showed us in Internet Explorer wherever a person is typing URLs to go to. Now, in addition to this new Windows 8, you also see a TypedURLsTime that’s showing up. So this is basically a LINUX, UNIX based time that can easily be decoded to any type of time conversion utility for you folks that have used Decode before, you can paste that in as a Windows DOS time and do the conversion, it’ll convert that to a Coordinated Universal Time for you. So they keys are in there, they’re plain text, very easy to convert. You can even do a [unclear] if you know what you’re doing, know your way around, you can make this [unclear] very easily. So, just a new key, kind of an added bonus for us digital forensics examiners to verify the time of the typed URLs with this new registry key. So I thought that was a good thing.

Some new software artifacts that we added, that we see added, was the Metro Apps installed on the system – you can see that the applications there, we can look in the software and see what Metro apps were being installed, we didn’t really dive in the deep to uninstalling Metro apps to see if those artifacts were to go around, that may be something that we can play around with when we get to the messy forum of discussions to see if anyone has done that. They also have user account installed Metro apps, which is based upon the secure identifier, which is one of the old Windows legacy things, so we can look at the SID number and see who installed what Metro app, and that could help us determine what user was behind the keyboard when this certain artifact was cached within that specific immersive application.

Some new SAM artifacts that are around, we also have a Internet User Name, which is unique in itself. Now, remember earlier in the presentation I talked a little bit about how Microsoft is using their Login accounts. You can either use your Microsoft Account to log in or you can create a local machine password. Now, those are being stored in the same manner, they’re hashing those passwords, and there’s sort of like a hash and cache kind of thing, you know if you’re using the Microsoft password it will cache that password and hash it, and keep it on the local system. But there is an internet user name that’s being generated in that SAM artifact. There’s also a user tile that’s being generated in the SAM artifact. Don’t know if that’s going to stick around, looks like it will, in later versions, but there is a user tile so, like earlier versions, you can associate a picture with your user account, well, you’re doing the same thing in Windows 8. Windows 8 has a lot of… get used to the word tile because that’s [unclear]… the user’s tile can be tied back to a specific user based upon this registry key, so you can see what user has what user tile.

So some of the other unique artifacts that’s worthy of talking about – there’s two swapfiles in Windows 8, and we also had the pagefile.sys, which is a legacy pagefile with memory sharing… for you folks who don’t know a lot about swapfiles, a swapfile is [unclear] just some virtual memory on the PC, you see a lot of data being dumped into the pagefile.sys. Now, for some of us older users, you remember a swapfile.sys in earlier versions of Windows. Well, they’re bringing that back, and I don’t know what reason they’re bringing that back at this point, other than the fact that there’s going to be a lot of data sharing between RAM and the actual swapfile itself because of this immersive experience. You’re going to have a lot of applications running at one time. So we’re really gonna be taxing on this pagefile and swapfile.sys, and there’s going to be a lot of data there, so if we were [gap] you’re going to see that data in there. There’s also ISO Automount, which [gap] basically, whenever you’re dealing with ISO files, [unclear] you don’t have to use a 3rd party utility like ISO Buster [unclear] to dissect an ISO [unclear] for us folks [unclear] we use a lot of ISO [unclear] resilient file system [unclear] of including this as a non-bootable partition for the server operating system. Now, this will be interesting because this [unclear] under wraps very well. So when this comes out, it’s going to be interesting to see how this is constructed. Is it going to be significantly different from NTFS or is it not? There are some white papers that Microsoft has published to give a little hint of what is there. There’s also some artifacts in Windows 8 that kind of show, maybe what the resilient file system [gap] using a resilient file system for two major reasons. One of the things is file history. And there’s [gap] how it was accessed, and where [unclear] artifacts to be there. Also, there is a storage pool [gap] which is kind of a resilient storage area. Looking at more [unclear] not getting into the specifics of it, but the resilient storage area [unclear] on the specific PC. It utilizes a lot of different [unclear] methodologies that we can store data, such as cloud data and stuff like that. [unclear] And makes it very, very [unclear] how the data is accessed. [unclear] ask questions or even make comments. I’m kind of a newbie when it comes to [unclear] I personally like to see what other have to people think. To me that’s kind of [unclear]

So that being said, [unclear] before I turn it back over to Jamie, you can copy this down, you can shoot me an email at any time, [unclear] anything that I can do to help. Plus there’s a website on there [unclear] I’ll be glad to answer your questions [unclear] just contact me. So that pretty much does it. I’m going to turn it back over to Jamie now, and we’ll just go from there. Thanks!

Jamie: Thank you, Josh. Can you still here me?

Josh: Yes, sir! I can!

Jamie: You can, okay. That’s fantastic. Just for people listening, we as always, ran into some audio issues at the start of this, but I’m glad I’m still online. Okay, Josh, that was a fantastic presentation. Thank you very much. I know you’ve agreed to join us in the forums for half an hour or so to answer any questions which people might have. So again, my sincere thanks to you for your time. Thank you, Josh.

Josh: Thank you.

Jamie: Okay, if you’re listening to this presentation at the scheduled time and you do want to ask Josh any questions or discuss what you’ve heard today, please head over to the forums now at forensicfocus.com, choose the Webinars forum from the forum list, and there should be a thread for this particular presentation. Of course, if you’re listening to the archived version at a later date, Josh probably won’t still be around – not in real time at least, but you probably can still go to the same forum and join in the conversation there. Okay, that brings us to the end of today’s webinar. My thanks again to Josh, but also to you for joining us. I hope you found it worthwhile, and I look forward to seeing you again next time. Until then, bye-bye!

Leave a Comment