This document provides an overview of Windows 8 forensics and anti-forensics techniques. It discusses new features in Windows 8 like pagefile and swapfile functions, Windows 8 to Go, Bitlocker updates, cloud integration, thumbnail caching, and PC refresh. It also covers Internet Explorer 10 changes and analyzes the pagefile, swapfile, thumbcache, file history artifacts, and new registry hives introduced in Windows 8. Anti-forensics techniques like encryption, time tampering, disk wiping, and disk destruction are also briefly mentioned. The document promotes an upcoming security conference and provides contact information for the author.

1. Windows 8 Forensics
& Anti-Forensics
Mike Spalding
Twitter: @fatherofmaddog
<Insert Witty Job Title Here>

2. Disclaimer
Use this information at your own
risk!
I am not your lawyer, expert
witness, or your priest. If you use
this information while committing
a crime you have only yourself to
blame. Blame your parents for
anything else that feel that you did
not get/receive when you were a
kid.
Blah, blah, blah, blah, blah, blah!

3. Thank You’s
I need to thank a few people for
helping me with this. They helped
to shave time and effort on this.
Tyler Smith - @bobbyMcSmathers
Dave Normand – AccessData
Lt. Pete Martin – Yolo County DA’s
Office

4. • Pre Windows Vista
− Windows XP and before have more similar feel
when it comes to forensics; similar registries,
event IDs, similar folder files, etc
• Post Windows Vista
− Vista provided a significant change to the
environment, that from a forensic standpoint, XP
and Vista could almost be considered unrelated
to a certain degree.
• Some things have not changed; Registry –
Sam, System, Software
Just a quick Primer on Windows
Forensics over the years.

5. • Vista, Windows 7, Windows 8 …
− Very much an evolutionary process.
− For the most part few things have moved, but
many more things have added.
Brothers from another mother …

6. • My initial install was 7.6 Gb of 8.0 Gb
− Well that was not enough, I needed to load some
office files, adobe, and general office utilities.
• My secondary action added 10 Gb
− Windows then expanded to fill 17.2 Gb of the
18Gb (David Blain must work for MSFT)
• My third action was to add 12 Gb
− Finally, I had enough to have some nice
slackspace, 7.5 Gb out of 30Gb was left. Huh?
Windows 8 needs to lose some weight

7. Windows 8 - Brings New Features
• Features that matter to forensic investigators
− Pagefile and Swapfile functions
− Windows 8 to Go
− Windows 8 Bitlocker Updates
− Windows 8 Cloud Integration
− Windows 8 Thumbnail Caching
− Windows 8 PC Refresh
• The biggest concern to an investigator is the
data not present on the system
− i.e. Cloud Services scare the forensic person!

8. It’s a Dog eat Dog World!

9. Windows 8 – Pagefile & Swapfile
• Pagefile.sys
− Similar to Windows 7 and Vista
− One exception is that many apps are listed as a
“low priority” in the pagefile, this allows for more
system critical apps to run
• Swapfile.sys
− Tweaked to take advantage of “Immersive
Applications”
− Apps are flushed in to the swap file when
memory gets full, this allows for apps to open
immediately when not in use.

10. Windows 8 – I will take that 2 Go!
• Win8 to Go
− Makes the OS Portable
− Allows for the OS to be
operated from a USB
drive
− Allows for up to six USB
devices
*Military Service Dog not
included.

11. Windows 8 – BitLocker
• Microsoft Drive Encryption
− First bestowed to the world with Vista/Win 2008
− Is a whole disk encryption system; ie. While the
system is on the files are accessible.
• New Encryption Features
− Can be deployed with WinPE or MDT
− Can limit encryption to just used space (makes
slack space a nice place to search!  )
− Better Key Management for improved recovery,
yeah whatever!

12. Windows 8 – Skydrive
• Microsoft Skydrive Integration
− Always been available, but now integrated into
OS directly
− Corporate installs of Win 8 will most likely drop
this feature.
* On a surface
device, you can
view files, but
cannot move them
to the RT device
from Skydrive.

13. Windows 8 – All Thumbs
• In Win7 thumbs.db was replaced
− Thumbcache is used to store all thumbnails for the
operating system
− In addition Win8 has several thumbcache files.
Speculation is that this is to provide support for
touchpads.
• The thumbcache in Win8 is different from
Win7, so currently there are no forensic tools
that can decipher the thumbcache, yet.

14. Windows 8 – PC Refresh
• Win8 offers a feature called ‘PC Refresh’
− It allows for system files to be reinstalled, while not
effecting the user files located on the system
− You can choose to remove everything and it will quite
literally remove all files.
− This feature is completely automated and the user is
ask very limited questions.
− From a forensic standpoint, this means that things
will probably stay static for this release.

15. Windows 8 – PC Refresh

16. Windows 8 – File History Artifacts
• Win8 has the ability to have a File History
− This is not to be confused with a shadowcopy.
− This cannot be used on cloud services, but can be
used on virtual drives (anti-forensics ideas!!)
− A GPO can be used to have all File History stored to
a network location or server.
− Located at:
%user%AppDataLocalMicrosoftWindowsFil
eHistory
− If this folder does not exist, neither does File History.

17. Windows 8 – ESE Structured DB File
• Win8 has a database of filenames, locations,
and versions
− This is helpful during investigations. It can show
history of files, depicts movements of files, etc.
− This is used when the restore files wizard is used.
− This is a great resource for keyword searches or
targeted searches looking for a specific image or
filename in question.
− Can be parsed with tools like ESEDbViewer.

18. Windows 8 – My new best friend!
• Win8 utilizes an XML config file that stores
the following pieces of information:
− Username, Machine Name, Libraries, Exclude
Folders, Location of Config Files, Retention
Informaiton, Target Volume Details, Volume Letter,
GUID of Volume, Volume Type, UNC Paths, Target
Configuration files , and backup storage locations.
− This provides ample information if data is being
stored on a flash drive or portable media.
− This can be used to trace machine history in the
portable OS function.

19. Windows 8 – My new best friend!

20. Windows 8 – Backup Data
• Win8 does not encrypt Backup data
− With user history and backup data being made
available, we will see that we can multiple variants of
a file readily available.
− New files are deprecated using the system UTC time
as a counter.
− The deprecation allows for the restore wizard to
know which file to restore.
− Fortunately for us, it also allows for the investigator
to view files after the fact.

21. Windows 8 – Default to the hard drive
• Win8 will default to the local system if the
remote drive or cloud service is not available.
− If a remove resource is unavailable, the file is stored
locally on the desktop.
− When the remote resource is made available, the files
are synched and the local file remains on the system.
− The file is marked as deleted, but it just goes into
slackspace or freespace on the local system.
− Fortunately for us, it also allows for the investigator
to view files after the fact.

22. Windows 8 – Two are better than One

23. Windows 8 – New Registry Hives
• The windows registry is useful for
investigations. as it contains hardware
information, usernames & Passwords.
− Hardware Information; thumb drives.
− ID’s and Passwords
− Internet Query details
− Programs installed on the local host
− System Information

24. Windows 8 – New Registry Hives
• ELAM (Early Launch Anti-Malware)
− Contains information to file launch times.
− Has details specific to Windows Defender and AV
data.
− ELAM driver loads before all other processes,
designed to prevent bootloader malware.
• BBI Registry File (Used with Immersive
Applications)
− Leveraged for licensing specific to users and their
applications. Uses logged on user and time.

25. Windows 8 – Internet Explorer 10
• New IE 10 Features
− Flip Ahead or “fast forward”, allows for web pages to
be scrolled like book pages.
− This also sends browsing history to Microsoft, to
improve the flip ahead experience.
− Pin to start allows for the user to pin favorite
websites to the start screen as a tile.
− Implicit/Explicit Sharing allows users to send a link
(implicit) or content from a page (explicit)

26. Windows 8 – IE10
• New IE 10 Features -
Continued
− EPM: Enhanced
Protected Mode uses
randomized memory
addressing to thwart
against buffer overflows.
− Application Caching
speeds up website data
between immersive
applications and the
internet.

27. Windows 8 – Anti-Forensics
• Encryption – Yes the tried and true way of
keeping something from someone.
− For all intensive purposes no one would use
BitLocker to protect their data if anti-forensics was a
pivotal concern.
− In Most cases, someone will use a whole disk
encryption along with select file encryption.
− Many people worried about AF have started a
practice to encrypt the hard drive twice.
− Some have called into question the security of
TrueCrypt as a viable solution.

28. Windows 8 – Anti-Forensics
• Time Tampering – The practice of changing file
and folder dates and time.
− A number of tools are available to perform this
function. Tool remnants are usually an indicator that
tampering to the drive has happened.
• Disk Wiping– The practice of writing an entire
disk with 1s and 0s.
− This is very secure method to destroy evidence, but
often times it is viewed poorly in court.

29. Windows 8 – Anti-Forensics
• Throwing Chaffe: To lead the investigator in the
wrong direction. Time is usually something that
many investigators do not have much of.

30. Windows 8 – Anti-Forensics
• Disk Destruction –
When all else fails, use
some gasoline and fire
and destroy the
evidence.

31. Shameless Plug
Bsides Columbus
January 20th, 2014
Doctors Hospital West
Three Tracks
KeyNote Speakers:
Dave Kennedy
Jayson Street

32. Questions
& Comments
@fatherofmaddog