Windows 8 Forensic Investigation Course

The course is designed to upgrade the knowledge of an existing computer forensic analyst so as to understand the changes that have taken place in the Windows 8 Operating System and latterly the Windows 8.1 Operating System.
The course is modular with instructor led tuition followed by hands-on laboratories to illustrate the points covered in each of the modules so as to familiarise the analysts with the new features and forensic artefacts.

Module 1 - Modern User Interface.

Takes the students through the new features of the modern user interface, which augments the old Desktop style experience within windows. We will look at;

  • The various versions of Windows 8 and what features they contain.
  • ‘Local’ and ‘live’ user accounts.
  • Picture Passwords.
  • Difference between MUI and Desktop Interfaces.
  • Windows ‘Charms’.

Module 2 - Immersive Apps and IE10 MUI

This module helps the students understand the difference between IE10 MUI (Modern User Interface) and IE10 Desktop. Describe the new features of IE10 and their forensic significance. We will look at;

  • New featured of Internet Explorer 10.
  • Pinning pages to Start and Desktop.
  • Flip Ahead.
  • Storage for Immersive Apps.
  • Synchronisation.
  • Tracking Protection.

Module 3 - IE10 and IE11 Forensic Artefacts

The module looks at the forensic artefacts associated with both the MUI and Desktop versions of IE10. How user information (Internet History, Cached Content and Cookies) is tracked using ‘Container.dat’ files in the ESE (Extensible Storage Engine)Database. We will look at;

  • Container.dat files and how they relate to the new WebCache Database.
  • Immersive App Caches.
  • Pinning of URL’s.
  • IE10 and IE11 incompatibility Database.
  • ‘Flip Ahead’ and cache.
  • ESE Database Viewing.

Module 4 - What has Changed?

This modules looks at the changes made to Windows 8 that make it stand out from previous versions of Windows. We will be looking at;

  • The directory tree and some of the new file structures.
  • We will look at how Solid State drives are handled during superfetch and defragmentation operations.
  • How the virtual memory files are used.
  • Windows Skydrive.
  • Changes to BitLocker.
  • Windows Refresh and Reset Modes.
  • Thumb.db’s, Yes, they are back.
  • ‘Windows 8 To Go’ what is it?

Module 5 - File History

This module looks at the new ‘File History’ feature and how it can be used to replace Volume Shadow Copy as a means of keeping historic copies of files. We will be looking at;

  • How to determine if File History has been switched on.
  • How to determine what folders are being backup up.
  • Where the files are backed up and when were they last backed up.
  • Reading the ‘File History’ database and cache.
  • Restore Logs and Event Logs associated with ‘File History’.
  • ‘File History’ registry keys.

Module 6 - GUID Partition Tables

This module takes a look at the GUID Partition table that we will see in the following modules relating to Virtual Hard Drives and Microsoft Storage Spaces. We will look at;

  • Identifying GUID Partition Tables.
  • Parsing partition information from GPT’s.
  • Understanding how GUID’s are stored, internally.

Module 7 - Virtual Hard Drives

This module will show the students how to identify Virtual Hard Drives and how to capture them for forensic analysis. I will also take the students through the creation process, so they are fully aware of the different types of Virtual Disk. We will look at;

  • Mounting of Virtual Hard Drives and ISO images.
  • Auto mounting of VHD’s.
  • Mounting a VHD Read Only.
  • VHD Event Logs.
  • Recognising VHD header types.

Module 8 - Storage Spaces

This module looks at Microsoft Storage Spaces a replacement for the legacy Disk Manager. We will look at;

  • How Storage Spaces are created.
  • Windows Storage Management API.
  • Types of Storage Pools.
  • Storage Pool Partition Type GUIDS.
  • Storage Space Event Logs.

Module 9 - Windows 8 Registry

There are several new registry files in Windows 8, so we will explain the purpose of each and the forensic significance, if any, of the keys contained within these files. We will look at;

  • Legacy Registry Files.
  • New sub-keys in the SAM.
  • ELAM (Early Launch Anti-Malware) Registry.
  • BBI (Browser Based Interface) Registry.
  • Immersive Apps Settings Registry Files.