Advertisement

Windows 8 retained many of the key artifacts that were present in earlier versions, however, its immersive experience also leans itself to artifacts nonexistent in previous releases.

Windows 8, the codename for the upcoming version of Microsoft Windows operating systems, is set to be released to the general public on October 26, 2012. Unlike its predecessor Windows 7, which was intended to be a more focused, incremental upgrade to the Windows line, Windows 8 is an operating system "reimagined from the chipset to the user experience" according to the Windows Design Team. Windows 8 features a new user interface based on Microsoft's Metro design language, very similar to features found in the current Windows Phone operating system (commonly referred to as Windows Mobile). The new metro-style interface is designed to better suit touchscreen and pen input, along with traditional mouse and keyboard input.

As is the case with any newly released operating system, new forensic changes and challenges arise. As digital forensic investigators it is important to address these new changes and challenges with diligence and understanding. Just like older versions of Windows, Windows 8 contains valuable bits of information known as “artifacts.” The average user is mostly unaware that the operating system is leaving traces of their activity behind that is specific to their usage. Knowing where these artifacts are stored can greatly assist in recreating a particular user account’s history. With that said, it may be a relief to many investigators out there that Windows 8 retained many of the key artifacts that were present in earlier Windows operating system builds. However, the immersive experience of Windows 8 also leans itself to artifacts nonexistent in previous releases. This article will focus on artifacts exclusive to Windows 8, including registry differences and artifacts of the new Metro User Interface and Immersive Web Browser.

The New Metro User Interface (UI): A Wealth of Forensic Information
As stated previously, Windows 8 will employ a new user interface based on Microsoft's Metro design language. The Metro environment will feature a new tile-based Start screen similar to that of the Windows Mobile Phone operating system (see Figure 1). These tiles are a rebranding of the traditional windows “programs” that existed in previous versions. Each tile will represent an application and will be able to display relevant information such as the number of unread messages on the tile for an e-mail app or the current temperature on a weather application. Metro-style applications run in full-screen.

Figure 1: Windows’ new tile-based Start screen.

Figure 1: Windows’ new tile-based Start screen.

Beginning with Windows Vista, Microsoft introduced the Application Data (AppData) folder structure, which allowed for forensic investigators to determine which data belonged to the operating system and which data belonged to a particular user. Located within this AppData folder is the Local folder, which contains data that does not roam with the user (see Figure 2). The data that is stored in this location is usually too large to roam with the user. This directory was previously known as “Documents and Settings\%UserName%\Local Settings\Application Data” in Windows XP and earlier versions. Items of probative forensic value that can be found here include temporary Internet files, Internet history, and several items that are new to the Windows 8 metro user interface (UI).

Figure 2: The Local folder in AppData contains data that does not roam with the user.

Figure 2: The Local folder in AppData contains data that does not roam with the user.

A majority of metro UI apps in Windows 8 connect to the Internet with a Windows Live (Microsoft) Account and each app is considered to be what Windows calls an “immersive” environment. This means that from within each app, you can access other apps, so figuratively speaking, that app becomes the operating system. Because of this immersive concept, each app will have its own Internet artifacts, which include its own cache, cookies, and history. The following list defines the location and explanation of the metro app artifacts:

Metro App Cache
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCache
Contains Web cache specific to each Metro App.

Metro App Cookies
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetCookies
Contains cookie files specific to each Metro App. Data is contained in a text file.

Metro App History
%Root%\Users\%User%\AppData\Local\Packages\
%MetroAppName%\AC\INetHistory
Contains Internet history files specific to each Metro App and the format of the data is consistent with previous versions.

These folders are named INetCache, INetCookies, and InetHistory respectively (see Figure 3) and contain a wealth of information and artifacts that may be of importance to the forensic investigator.

Figure 3: INetCache, INetCookies, and InetHistory contain a wealth of information and artifacts.

Figure 3: INetCache, INetCookies, and InetHistory contain a wealth of information and artifacts.

Internet Explorer 10: The Immersive Browser
Windows Internet Explorer 10 (abbreviated as IE10) is the next and upcoming version of Microsoft’s Web browser. In Windows 8, it will be divided into two versions with different user interfaces: the new Metro UI app and a traditional desktop application. Therefore it is important for the forensic investigator to keep in mind that there are essentially two separate versions of IE built into Windows 8 (Immersive and Desktop), each having their own separate artifacts. The following list defines the location and explanation of the IE10 browser artifacts found in Windows 8:

IE 10 Web sites Visited (Immersive Interface)
%Root%\Users\%User%\AppData\Local\Microsoft\
InternetExplorer\ Recovery\Immersive\Active

IE 10 Web sites Visited (Desktop Interface)
%Root%\Users\%User%\AppData\Local\Microsoft\
InternetExplorer\ Recovery\Active
Web sites user visited while browsing with IE10.

User-Pinned Favorite Tiles
%Root%\Users\%User%\AppData\Local\Microsoft\
Windows\RoamingTiles
Contains tiles that the user has pinned as favorite (see Figure 4).

Figure 4: IE tiles that the user has pinned as favorite.

Figure 4: IE tiles that the user has pinned as favorite.

Communication App Artifacts
Windows 8 is virtually connected to everything; wherever you sign in, it’s connected. E-mail is connected to Facebook, Facebook is connected to the photo album, and the photo album is connected to the Microsoft account, which allows the user the ability to transfer many of the settings of the UI and immersive browser from PC to PC. The operating system is built around the premise of the recent social media revolution, with many of the newer features focused around such communication. The Communications App, as coined by Microsoft, includes the user’s e-mail, chat clients such as Windows Live and AIM, Facebook, and other social networking sites (e.g. Twitter). Anything that can allow the user to interact with another person appears to fall under “Communications Apps.” Each communication app has its own Web cache, which is located in the following directory:

Communication App Web Cache
%Root%\Users\%User%\AppData\Local\Packages\
microsoft.windowscommunicatisapps_8wekyb3d8bbwe\
AC\INetCache

Communication App Cookies
%Root%\Users\%User%\AppData\Local\Packages\
microsoft.windowscommunicatisapps_8wekyb3d8bbwe\
AC\INetCookies

In addition to Web cache and cookies, user contacts synced from various social media accounts such as Twitter, Facebook, and even e-mail clients such as MS Hotmail are cached with the operating system (see Figure 5). This information is located in the following directory:

User’s Contacts from Communications Apps
%Root%\Users\%User%\AppData\Local\Packages\
microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
LocalState\LiveComm\%User’sWindowsLiveEmail Address%\%App-CurrentVersion%\DBStore\LogFiles\edb####.log

Figure 5: User contacts synced from various social media accounts are cached with the operating system.

Figure 5: User contacts synced from various social media accounts are cached with the operating system.

Moreover, when contacts are synced with Windows 8, a user tile is assigned to a particular contact. The Communications App consolidates social networking and messaging into one place, and as a result, the user’s contacts are stored in one location, along with the contact’s picture (see Figure 6). These pictures are generally the picture that the contacts themselves have assigned as their Facebook, Twitter, or other synced social media account profile image. These user tiles associated with the contact can be found in the following directory location:

User Tile Associated with Contact
%Root%\Users\%User%\AppData\Local\Packages\
microsoft.windowscommunicationsapps_8wekyb3d8bbwe
\LocalState\LiveComm\%User’sWindowsLiveEmailAddress
%\%AppCurrentVersion%\DBStore\UserTiles

Figure 6: User’s contacts are stored in one location, along with the contact’s picture.

Figure 6: User’s contacts are stored in one location, along with the contact’s picture.

Windows 8 Registry Artifacts
No discussion on Windows 8 forensic artifacts would be complete without a discussion of changes within the Windows registry. Forensic investigators should be familiar with the standard function of the Windows Registry, which is a central hierarchical database used to store information necessary to configure the system for one or more users, applications, and hardware devices. The registry is considered the heart and soul of the Windows operating system, containing a massive amount of data of forensic significance. The mining of such data can be an unnerving task due to its size and complexity. Fortunately for forensic investigators, Microsoft altered the Windows 8 registry only slightly from its predecessor Windows 7. Nonetheless, the new operating system brought on new registry changes and artifacts, which will be discussed in subsequent detail.

SAM Registry Artifacts
The Security Accounts Manager (SAM) file is present in the same manner as it was in previous versions of Windows operating systems. The Windows 8 SAM stores users' passwords in a hashed format (in NTLM hash) for both local and Microsoft login accounts (as Windows 8 can use a Microsoft account as a login method). The SAM key stores user names that are used for login and the user’s RID (Relative Identifier) for each account. The addition of the immersive user interface (UI) also brought on new artifacts such as the internet user name and user’s tile registry key. These keys can be found within the following locations within the registry:

Internet User Name
%SystemRoot%\Windows\System32\Config\SAM\
Domains\Account\Users\Internet User Name

User's Tile
%SystemRoot%\Windows\System32\Config\SAM\
Domains\Account\Users\UserTile

SOFTWARE Registry Artifacts
The SOFTWARE key contains information about the operating system, such as the version, when it was installed, the registered owner, the last user to log on, and the members of a created user group (if one exists). With the addition of metro apps in Windows 8, new registry keys were added. These include a registry key that shows what metro apps were installed on the system and what user account installed such metro apps (based upon the security identifier-SID). These keys can be found within the following locations within the SOFTWARE registry hive.

Metro Apps Installed on System
Microsoft\Windows\CurrentVersion\Appx\AppxAllUser
Store\Applications

User Account Installed Metro Apps
Microsoft\Windows\CurrentVersion\Appx\AppxAllUser
Store\%SID%

Figure 7: The “TYPEDURLsTIME” entry is new to Windows 8.

Figure 7: The “TYPEDURLsTIME” entry is new to Windows 8.NTUSER.DAT Registry Artifacts
The NTUSER.DAT is a registry entry that stores information that is specific to the Windows user. If there are multiple user accounts on a particular operating system, there are also multiple NTUSER.DAT files; one created for each individual user. NTUSER.DAT stores data that is specific to a particular user, such as which files they opened, which applications they used, and Web sites they visited. The structure and usage of the NTUSER.DAT files has not changed in Windows 8, with many of the same residual forensic artifacts as were present in Windows 7. There was, however, one registry entry that is of significance to forensic investigators that is new to Windows 8, which is that of the “TYPEDURLsTIME” entry (see Figure 7). This entry is stored in binary form and denotes the number of 100-nanosecond intervals since January 1, 1601 at 00:00:00 GMT. The FILETIME structure consists of two 32-bit values that combine to form a single Little Endian 64-bit value that can be correlated to URLs found in the TypedURLs based upon the corresponding number sequence that the URL was typed into the browser. This information can be found in the following location:

TypedURLsTime
%SystemRoot%\Users\%User%\NTUSER.DAT\Software\
Microsoft\Microsoft\InternetExplorer\TypedURLsTime

Conclusion
The pre-releases of Windows 8 gave a look into the future of operating system forensics and what challenges may exist for investigators on the horizon. Although the under-the-hood structure of the operating system was not altered too drastically, Windows 8 brings new challenges to the forensic examination that were not present before. Windows 8 is more interconnected than previous versions, fully utilizing social media and internet utilities such as roaming accounts and cloud storage. This could pose challenges in certain investigations into the legality of accessing such “cloud-based” data. This article delves into artifacts of the “Release Preview” which was released in late May 2012, nearly five months prior to its official release in order to identify and investigate forensically relevant changes to the new operating system. It is assumed that some of these artifacts will be slightly different upon final release of the operating system and new artifacts will be added. In addition, there was a plethora of specific forensic artifacts that were not addressed in this article. For this reason, it is important that continued research be conducted well beyond the first public release of the operating system this fall.

References

  1. Thomson, A. Windows 8 Forensic Guide. Accessed 06 June 2012. http://propellerheadforensics.files.wordpress.com/2012/05/thomson_window...
  2. Microsoft Corporation. Modifying Ntuser.dat Hive So New Users Get Defined Settings. Accessed 06 June 2012. http://support.microsoft.com/kb/146050.
  3. Parrish, K. Metro Version of IE 10 Will Be Plugin Free. Accessed 06 June 2012. http://www.tomsguide.com/us/Internet-Explorer-Metro-Flash-HTML5-Dean-Hac....
  4. Nash, M. Windows 7 Unveiled Today at PDC 2008. Windows Team Blog. October 28, 2008. Microsoft. Accessed 06 June 2012. http://windowsteamblog.com/windows/archive/b/windows7/archive/2008/10/28....
  5. Leblanc, B. Windows 8 will be available on… Windows Team Blog. July 18, 2012. Accessed 29 July 2012. http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/07/18/....
  6. LeBlanc, B. Announcing the Windows 8 Editions. Windows Team Blog. Microsoft. Accessed 03 July, 2012. http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/04/16/....
  7. Miller, M. Build: More Details On Building Windows 8 Metro Apps. PC Magazine. Accessed 03 July, 2012. http://forwardthinking.pcmag.com/show-reports/287736-build-more-details-....
  8. Hachamovitch, D. Windows Release Preview: The Sixth IE10 Platform Preview. Accessed 07 June 2012. http://blogs.msdn.com/b/ie/archive/2012/05/31/windows-release-preview-th....
  9. Smulikowski, P. First Look at the Windows 7 Forensics: Forensic Implications of the New Windows 7. Accessed 03 July, 2012. http://www.scribd.com/doc/22907940/First-Look-at-the-Windows-7-Forensics.

Josh Brunty is an Assistant Professor of Digital Forensics at Marshall University in Huntington, WV. A former digital forensics examiner and laboratory manager, Josh has extensive experience in investigations involving digital and multimedia evidence. Josh is a member of the Mid-Atlantic Association of the High Technology Crime Investigation Association (HTCIA), the Digital-Multimedia Sciences section of the American Academy of Forensic Sciences (AAFS), the West Virginia Cyber Crimes Task Force, and the West Virginia Chapter of FBI INFRAGARD. Marshall University, One John Marshall Drive, Huntington, WV 25755; josh.brunty@marshall.edu; www.marshall.edu.

Advertisement
Advertisement