After looking at multiple things, I decided to step back and take a look at what was going on. I reviewed a few things, and finally checked the hash of the files I originally downloaded - low and behold, they were off. I did some quick research and discovered that Google Chrome sometime has issues with downloads over 2GB, and quickly went to download the iso's in Firefox instead. Finally, it installed flawlessly and I was off and running. 4 days and a lot of data generation, and I'm ready to start my reset and refresh project. Here's the outline:
- Create a clean Windows 8 virtual machine
- Create a forensic image of this Windows 8 machine
- Generate user data on the virtual machine, including but not limited to: internet browsing, USB activity, application activity, downloads, metro activity, social media activity, and more.
- Create a forensic image of the machine with generated traffic
- Take a snapshot of the virtual machine to revert back to
- Perform the refresh function
7. Forensic image of the machine after this is complete
8. Revert back to snapshot, perform reset function - quick
9. Forensic image of the machine after this is complete
10. Revert back to snapshot, perform reset function -
thorough
11. Forensic image of the machine after this is complete
12. Comparison of the five forensic images:
- Clean
- Data
- Refresh
- Reset Quick
- Reset Thorough
Comparison of these images will focus on multiple areas, including:
- What artifacts remain after each feature is done? - i.e., is USB activity still present? internet history? documents? is data carving possible? are prefetch files recoverable?
- What artifacts are present in a machine that has been reset versus a clean one? What about a refreshed machine? How can we tell if this has happened?
Any comments or suggestions, please feel free to let me know!
No comments:
Post a Comment