Tuesday, June 19, 2012

Windows 8 Reset and Refresh

Finally getting to start working on the Windows 8 Reset and Refresh features.  I started this project about 2 weeks ago and took a good 3 day chuck of time to generate data.  I had high hopes of being able to smoothly go through the reset and refresh features without issue - but of course that just wouldn't be right.  I went to do the refresh, and it popped an error.  Reverted back to a snapshot, went to do reset - same thing again.  Finally did a full reset on it, and it brought it back to consumer preview - so I was pretty annoyed.  


After looking at multiple things, I decided to step back and take a look at what was going on.  I reviewed a few things, and finally checked the hash of the files I originally downloaded - low and behold, they were off.  I did some quick research and discovered that Google Chrome sometime has issues with downloads over 2GB, and quickly went to download the iso's in Firefox instead.  Finally, it installed flawlessly and I was off and running.  4 days and a lot of data generation, and I'm ready to start my reset and refresh project.  Here's the outline:


  1. Create a clean Windows 8 virtual machine
  2. Create a forensic image of this Windows 8 machine
  3. Generate user data on the virtual machine, including but not limited to: internet browsing, USB activity, application activity, downloads, metro activity, social media activity, and more.
  4. Create a forensic image of the machine with generated traffic
  5. Take a snapshot of the virtual machine to revert back to
  6. Perform the refresh function 




     7.  Forensic image of the machine after this is complete 
     8.  Revert back to snapshot, perform reset function - quick




     9.  Forensic image of the machine after this is complete 
     10.  Revert back to snapshot, perform reset function -  thorough


     11.  Forensic image of the machine after this is complete
     12.  Comparison of the five forensic images:
    • Clean
    • Data
    • Refresh
    • Reset Quick
    • Reset Thorough


Comparison of these images will focus on multiple areas, including:
  • What artifacts remain after each feature is done? - i.e., is USB activity still present?  internet history? documents?  is data carving possible?  are prefetch files recoverable?
  • What artifacts are present in a machine that has been reset versus a clean one?  What about a refreshed machine?  How can we tell if this has happened?
Any comments or suggestions, please feel free to let me know!  

Friday, June 15, 2012

Windows 8 KB Resource

Awesome post by Lance Mueller over at http://www.forensickb.com.  Brings all of the current Windows 8 research together - something I've definitely been trying to work on too!  Have to thank someone with a much more reputable name than myself for bringing all the research together!  

Let's keep up the collaboration!

Check back soon, I'll have the rest of my current research posted and hopefully some interesting news on the reset and refresh feature!

Windows 8 USB Activity

When I started working on Windows 8 USB drive forensics, I assumed it would be pretty similar to Windows 7.  I created a fresh Windows 8 VM and plugged a thumb drive into my local system. Like normal, the VM recognized it as it should. At this point I shut the VM down and opened it in EnCase to examine what happened. All of the findings were similar to Windows 7 USB forensics, and much like the recycle bin, proved nothing exciting.  Here are the results:

The original post for this can be found on the Patrick Leahy Center for Digital Investigation blog.

Mounted devices tab:



System\currentcontrol\enum\usbstor:



Setupapi.dev.log:



Software\microsoft\windows portable devices\devices – friendly name link:



These keys are all the same as Windows 7, therefore it should be smooth sailing to continue producing USB activity results.

Windows 8 Recycle Bin

No shocking information to be found here, the Windows 8 recycle bin behaves just like the Windows 7 recycle bin.


The original blog post for this can be found at the Patrick Leahy Center for Digital Investigation blog, but this is a slightly edited version.

We still find the $Recycle.Bin, $R, and $I files.  Here's a breakdown of my methodology.
  1. Created “I wonder if this will appear“ at 10:14
Deleted “I wonder if this will appear“ at 10:14
  1. Created “test document.txt“ at 10:22
Deleted “test document.txt“ at 10:23
  1. Created “lets try this” at 10:40 – filled it with text, 36.5 mb
Deleted “lets try this“ at 10:40

Recycle Bin in EnCase still has $Recycle.Bin and $I files.  The actual $R notation can be found when looking at simply the user ID under the recycle bin, but since the $R file is the file data itself, it is represented by the file name in the recycle bin. 




Located and verified times of “test document”, “lets try this”, and “I wonder if this will appear” to be accurate to what I recorded when creating/deleting originally.

Verified hex values for $I files in comparison to known Windows 7 values.

Bytes 0-7 are still the file header, always 01 followed by seven sets of 00.

Bytes 8-15 are the original file size, stored in hex, in little-endian. This can be converted into big endian format and converted with a hex calculator to a decimal notation to determine the size in bytes. I tested this with the “Lets try this” document that was 36.5mb. The hex value in encase was F0 E2 39 02, read in little endian. Converting this into big endian yields 02 39 E2 F0, which ran through a hex calculator shows that it is 37348080 bytes, which is roughly 36.5mb




Bytes 16-23 reflect the deleted date time stamp, represented per normal standards (number of seconds since Midnight, January 1, 1601).




Bytes 24-543 reflect the original file path/name.




Introduction to Windows 8 Forensics

Dating back to late 2011, I began researching the Windows 8 operating system from a digital forensics standpoint.  I wanted to take an in depth look at the operating system using many of the commonly used tools in the digital forensics world today.  When I first took on the project, I thought - hey, how hard could this be?  I didn't quite grasp, at first, the notion that I was going to be examining an entire operating system and the complexities that would be involved in doing so.  Fortunately, I had some ideas on what I wanted to look at, and I also intended to build upon the other research that had been done already. 


At that point in time, there was one other person that was researching Windows 8 publically.  Kenneth Johnson, author of the blog random thoughts of forensics, was also working on examining Windows 8.  I viewed his initial research and saw what he was doing, and figured I'd check out some other artifacts to start.  With that, I built a preliminary list of the following:
  • Recycle Bin Properties
  • USB Drive Activity
  • Internet History
  • Windows 8 Reset and Refresh Feature
  • Event Logs
  • Prefetch Files
  • Jump Lists
  • File History Feature
With that, I started diving into the Developer Preview version that was released, examining the recycle bin, USB drive activity, internet activity, and the file history feature.  Jump lists, prefetch files, event logs, and the reset and refresh feature  were all still on the horizon for me.  As I got further into my research however, February 29th rolled around and the consumer preview was released - thus, my research was set back to a restart point.  Looking at the consumer preview, I dug into the same four primary topics of recycle bin, USB activity, internet history, and the file history feature.  Due to time constraints with the school year coming to a close and having to work another job, though, I was only able to get limited amounts of research done.  I did manage to discover a good amount of useful information, which I presented at the Conference for Undergraduates in Technology at Champlain College on April 21st, 2012. 

The following blog posts will touch on each individual item that was presented on.

Thursday, June 14, 2012

Welcome / Purpose

Hey all,


Just starting up this blog today.  I plan on using it mainly for posting my progress on the Windows 8 Forensics research that I've been doing, as well as other research and development, ideas, problems, and discoveries that I come across in the days to come!


The first few blog posts I am going to put up are going to be in regards to Windows 8 forensic research that I have already done, and can also be found on the Senator Patrick Leahy Center for Digital Investigation blog!  Check them out here, or there.


I'm hoping to get some input back from what I'm doing from the DFIR community, so feel free to chime in if you see anything that you think I could be doing better, differently, that is wrong, or anything!  I'm always up for criticism, preferably constructive though.


Thanks for checking out the blog, come back often as I will be updating it relatively frequently!