Windows 8 Forensics
Senator Patrick Leahy Center for Digital Investigation
Google Chrome History – Google Chrome History is stored within <root>users<username>appdatalocalgooglechromeuser datadefault. After exporting this information out, I loaded it into a tool called Chrome Analysis Plus. The following image depicts the information that I was able to obtain from Google Chrome browsing history.
Mozilla Firefox History – Firefox history is stored within <root>users<username>appdataroamingmozillafirefoxprofiles. After exporting this information, I loaded it into Fox Analysis, a tool that works very similar to Chrome Analysis. The following image depicts the information that I was able to obtain from Firefox browsing history.
Microsoft Internet Explorer – Within Windows 8, a new version of Internet Explorer is introduced. This version, Internet Explorer 10, has many different features such as:
Temporary internet files are stored within <root>users<username>appdatalocalmicrosoftwindowstemporary internet files. Within this folder, there is a subfolder Low that contained all the TIF files for the browsing that I did. This is slightly different from Windows 7 where the files were not forced into the low folder.
TypedURL’s is still in the same spot in NTUSER.DAT, as well as another key called “TypedURLSTime” which contains hex values that, when put through DCode, correctly reflect the time that the URL was typed.
Within Windows 8, Internet Explorer history is presented in a different manor due to the IE10 update. As of this writing, there is no support for IE 8/9 on the Windows 8 operating system. Because of this, conventional means of internet history has changed.
Cookies, in windows 7, are stored in two places, one of which is with temporary internet files, and the other being <root>users<username>appdataroamingmicrosoftwindowscookies. The image below depicts this:
In Windows 8, cookies are located in a slightly different location, <root>users<username>appdataroamingmicrosoftwindowscookieslow, as shown below:
Traditionally, in Windows 7, Internet Explorer files are stored within <root>users<username>appdatalocalmicrosoftmicrosoftwindowshistory contained in index.dat. The image below depicts this:
On Windows 8 in the same location, <root>users<username>appdatalocalmicrosoftmicrosoftwindowshistory, index.dat files are no longer there. Instead, this folder holds container.dat which is consistently empty.
With traditional methods of internet history not being present, I was forced to look for web history in other areas. In order to do this, I did keyword searches for websites that I visited while on internet explorer. After reviewing the hits that occurred, I found that WebCacheV24.dat contains a majority of the information that index.dat previously did.
Internet history hits within webcachev24.dat This list of website hits occurs within the file at offset 1902336 and reflects accurate timestamps for website visits.
This file offset is consistent to similar start points in webcachev24.dat in other VM’s that I have created. The first website generally occurs within a few thousands bytes of file offset 1900000.
However, this is not the only area that web history is found at. Much further down into the file, at offset 5046834, a second list of websites is found that reflect accurate timestamps. This list, however, is more unclear with what it is providing and in some instances doesn’t necessarily follow chronological order.
The timestamp, in both of the above instances, is an 8 byte hex value located 36 bytes prior to the notation indicating “visited: forensicator @ website”.
For the next part of this project, see “Windows 8 Forensics Part 3″.
If you have any comments, questions and/or suggestion please feel free to leave a comment here on the blog. Or feel free to email us atLCDI@champlain.edu, with “Windows 8 Forensics” in the subject.