Today I am starting the preliminary research on the Windows 8 Operating System from a Digital Forensics standpoint. I will be comparing it primarily to known information on the Windows 7 Operating System. There are going to be many items that I am looking at, and any comments with suggestions for further things to look into would be appreciated.
Topics so far include:
- Recycle Bin Properties
- USB Drive Activity
- Internet History
- Windows 8 Reset and Reload Feature
- Event Logs
- Prefetch Files
- Jump Lists
- File History Feature
As I dig into these topics, there is likely to be a large amount of information that will be discovered. It is important to remember, though, that some of these topics may yield little to no differences.
The purpose of this project is to determine key differences between the Windows 7 and Windows 8 operating system from a forensic standpoint in order to determine if there are any significant changes that will be either beneficial or detrimental to the forensic investigation process.
Version:1.0 StartHTML:0000000167 EndHTML:0000003071
StartFragment:0000000747 EndFragment:0000003055 Version:1.0
StartHTML:0000000167 EndHTML:0000002862 StartFragment:0000000747
Windows 8 Recycle Bin
No shocking information to be found here, the Windows 8 recycle bin behaves just like the Windows 7 recycle bin.
The original blog post for this can be found at the Patrick Leahy Center for Digital Investigation blog, but this is a slightly edited version.
We still find the $Recycle.Bin, $R, and $I files. Here’s a breakdown of my methodology.
- Created “I wonder if this will appear“ at 10:14
- Deleted “I wonder if this will appear“ at 10:14
- Created “test document.txt“ at 10:22
- Deleted “test document.txt“ at 10:23
- Created “lets try this” at 10:40 – filled it with text, 36.5 mb
- Deleted “lets try this“ at 10:40
Recycle Bin in EnCase still has $Recycle.Bin and $I files. The actual $R notation can be found when looking at simply the user ID under the recycle bin, but since the $R file is the file data itself, it is represented by the file name in the recycle bin.
Located and verified times of “test document”, “lets try this”, and “I wonder if this will appear” to be accurate to what I recorded when creating/deleting originally.
Verified hex values for $I files in comparison to known Windows 7 values.
Bytes 0-7 are still the file header, always 01 followed by seven sets of 00.
Bytes 8-15 are the original file size, stored in hex, in little-endian. This can be converted into big endian format and converted with a hex calculator to a decimal notation to determine the size in bytes. I tested this with the “Lets try this” document that was 36.5mb. The hex value in encase was F0 E2 39 02, read in little endian. Converting this into big endian yields 02 39 E2 F0, which ran through a hex calculator shows that it is 37348080 bytes, which is roughly 36.5mb
Bytes 16-23 reflect the deleted date time stamp, represented per normal standards (number of seconds since Midnight, January 1, 1601).
Bytes 24-543 reflect the original file path/name.
About the Author:
Ethan Fleisher is a Senior majoring in Computer and Digital Forensics at Champlain College. Originally from Carlisle, Pennsylvania, Ethan currently works as a Forensic Intern and System Administrator at the Senator Patrick Leahy Center for Digital Investigation where he is involved in real life investigation forensic analysis, network and system administration, and forensic research. Ethan has spent close to the last year researching the Microsoft Windows 8 OS with focus on revealing new artifacts and attempting to confirm previous methodologies.