windows 8.x forensics 1.0
DESCRIPTION
Forensic artefacts from Windows 8 & 8.1TRANSCRIPT
OS Evidentiary Artefacts
Version 1.0
Brent Muir – 2014
OS: UEFI
Secure Boot
File Systems / Partitions
Registry Hives
SOPs
Artefacts: Internet Explorer
Search History (Charms Bar)
Picture Password
Applications (Apps)
▪ Email (Mail application)
▪ Unified Communication
▪ Skype
▪ OneDrive (SkyDrive)
▪ OneNote
Unified Extensible Firmware Interface (UEFI) is the replacement of legacy Basic Input Output Systems (BIOS)
UEFI provides much more functionality than traditional BIOS and allows the firmware to implement a security policy.
Secure Boot is enabled in every Windows 8 certified device that features UEFI, although it can be disabled
Secure Boot is “where the OS and firmware cooperate in creating a secure handoff mechanism”
Supported File Systems: NTFS, Fat32, ExFat
Default Partition structure: “Windows” – core OS (NTFS)
“Recovery” (NTFS)
“Reserved”
“System” – UEFI (Fat32)
“Recovery Image” (NTFS)
Registry hives format has not changed Can be examined with numerous tools
(e.g.. RegistryBrowser, RegistryViewer, etc.)
Location of important registry hives:
▪ \Users\user_name\NTUSER.DAT
▪ \Windows\System32\config\DEFAULT
▪ \Windows\System32\config\SAM
▪ \Windows\System32\config\SECURITY
▪ \Windows\System32\config\SOFTWARE
▪ \Windows\System32\config\SYSTEM
No longer stored in Index.DAT files
IE history records stored in the following file:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
▪ This is actually an .EDB file ▪ Can be interpreted by EseDbViewer or ESEDatabaseView
▪ Might be a “dirty” dismount, need to use esentutl.exe
Internet Cache stored in this directory:
\Users\user_name\AppData\Local\Microsoft\Windows\INetCache\
Internet Cookies stored in this directory:
\Users\user_name\AppData\Local\Microsoft\Windows\INetCookies\
Windows 8 introduced a unified search platform that encompasses local files & websites
In Windows 8 stored in NTUSER.DAT registry: SOFTWARE\Microsoft\Windows\CurrentVersion\Explor
er\SearchHistory\
In Windows 8.1 stored as .LNK files in: \Users\user_name\AppData\Local\Microsoft\Windows\
ConnectedSearch\History\
“Picture Password” is an alternate login method where gestures on top of a picture are used as a password
This registry key details the path to the location
of the “Picture Password” file: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentV
ersion\Authentication\LogonUI\PicturePassword\user_GUID
Path of locally stored Picture Password file:
C:\ProgramData\Microsoft\Windows\SystemData\user_GUID\ReadOnly\PicturePassword\background.png
Applications (apps) that utilise the Metro Modern UI are treated differently to programs that work in desktop mode
Apps are installed in the following directory: \Program Files\WindowsApps\
Settings and configuration DBs are located in following directories: \Users\user_name\AppData\Local\Packages\package_name\LocalState\
▪ Two DB formats: ▪ SQLite DBs (.SQL) ▪ Jet DBs (.EDB)
Registry key of installed applications:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\
Emails & contacts are stored in .EML format
Can be analysed by a number of tools
Stored in the following directory:
\Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps...\LocalState\\Indexed\LiveComm\...\...\Mail\
Unified Communication (UC) is a built-in Microsoft application that brings together all of the following social media platforms (by default):
UC settings are stored in the following DB: \Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\livecomm.e
db
Locally cached entries (e.g. Email or Twitter messages) are stored in this directory: \Users\user_name\AppData\Local\Packages\microsoft.windowscommunicationsapps…\LocalState\Indexed\Liv
eComm\
Facebook Flickr
Google LinkedIn
MySpace Sina Weibo
Twitter Outlook
Messenger Hotmail
Skype Yahoo!
QQ AOL
Yahoo! JAPAN Orange
History DB located in following file: \Users\user_name\AppData\Local\Packages\xxxx.T
witter_xxxxxxx\LocalState\twitter_user_id\twitter.sql
SQLite3 format DB 11 Tables in DB ▪ Relevant tables: ▪ messages – holds tweets & DMs
▪ search_queries – holds searches conducted in Twitter app by user
▪ statuses – lists latest tweets from accounts being followed
▪ users – lists user account and accounts being followed by user
Settings located in file:
\Users\user_name\AppData\Local\Packages\xxxxx.Twitter_xxxx\Settings\settings.dat
▪ Includes user name (@xxxxx)
▪ Details on profile picture URL
▪ Twitter ID number
Skype user name located in file \Users\esf\AppData\Local\Packages\microsoft.windowscommunic
ationsapps_xxxxx\LocalState\Indexed\LiveComm\xxxx\xxx\People\Me\xxxxxxx.appcontent-ms
Relevant DB files located in directory:
\Users\user_name\AppData\Local\Packages\Microsoft.SkypeApp_xxxx\LocalState\live#3xxxxxxx\ ▪ eas.db
▪ Contains user details in “properties” table
▪ qik_main.db ▪ Contains Skype username in “settings” table ▪ Contains recent messages in “conversations” table
▪ main.db ▪ Contains chats, calls, contacts
Be aware that if you search for a user via the app, the results will show under “contacts” even if not “added”
is_permanent:
0 = NO
1 = YES
Built-in by default, API allows all programs to save files in OneDrive
List of Synced items located in file:
\Users\user_name\AppData\Local\Microsoft\Windows\SkyDrive\settings\xxxxxxxx.dat
Locally cached items are stored in directory:
\Users\user_name\OneDrive\
Cached files stored in this directory:
\Users\esf\user_name\Local\Packages\Microsoft.Office.OneNote_xxxx\LocalState\AppData\Local\OneNote\16.0\OneNoteOfflineCache_Files\
Files stored as xxxx.onebin extension actually just binary files, e.g. PNG or JPG
Assuming no encryption located and due to prevalence of ESE JetBlue DBs, not recommended to pull power clean shutdown instead (otherwise dirty DBs)
Recommend grabbing RAM first if running machine encountered WinPMEM1.5
DumpIt
FTK Imager