Tuesday, June 19, 2012

Windows 8 Reset and Refresh

Finally getting to start working on the Windows 8 Reset and Refresh features.  I started this project about 2 weeks ago and took a good 3 day chuck of time to generate data.  I had high hopes of being able to smoothly go through the reset and refresh features without issue - but of course that just wouldn't be right.  I went to do the refresh, and it popped an error.  Reverted back to a snapshot, went to do reset - same thing again.  Finally did a full reset on it, and it brought it back to consumer preview - so I was pretty annoyed.  

After looking at multiple things, I decided to step back and take a look at what was going on.  I reviewed a few things, and finally checked the hash of the files I originally downloaded - low and behold, they were off.  I did some quick research and discovered that Google Chrome sometime has issues with downloads over 2GB, and quickly went to download the iso's in Firefox instead.  Finally, it installed flawlessly and I was off and running.  4 days and a lot of data generation, and I'm ready to start my reset and refresh project.  Here's the outline:

  1. Create a clean Windows 8 virtual machine
  2. Create a forensic image of this Windows 8 machine
  3. Generate user data on the virtual machine, including but not limited to: internet browsing, USB activity, application activity, downloads, metro activity, social media activity, and more.
  4. Create a forensic image of the machine with generated traffic
  5. Take a snapshot of the virtual machine to revert back to
  6. Perform the refresh function 

     7.  Forensic image of the machine after this is complete 
     8.  Revert back to snapshot, perform reset function - quick

     9.  Forensic image of the machine after this is complete 
     10.  Revert back to snapshot, perform reset function -  thorough

     11.  Forensic image of the machine after this is complete
     12.  Comparison of the five forensic images:
    • Clean
    • Data
    • Refresh
    • Reset Quick
    • Reset Thorough

Comparison of these images will focus on multiple areas, including:
  • What artifacts remain after each feature is done? - i.e., is USB activity still present?  internet history? documents?  is data carving possible?  are prefetch files recoverable?
  • What artifacts are present in a machine that has been reset versus a clean one?  What about a refreshed machine?  How can we tell if this has happened?
Any comments or suggestions, please feel free to let me know!  

No comments:

Post a Comment