Blog8

Windows 8 Forensics: Part 3

Windows 8 Forensics

Ethan Fleisher

Senator Patrick Leahy Center for Digital Investigation

File History

Within the Windows 8 Operating system, they have introduced file history backup which changes the way that backups were previously used. In previous versions of windows, backups could only be maintained and restored using the default system. Within windows 8 this solution is more robust and allows backups to be stored both on removable media and remote network shares. By default this will backup folders such as Music, Documents, Videos, Contacts and Favorites.

File history defaults –save copy every hour, offline cache is 5% of disk space, keep saved versions forever

It will back up by default, after turning it on, ALL libraries, desktop items, contacts, and favorites.  Power users can create new libraries that will allow for back up occurring.

Within users\<username>\appdata\local\microsoft\windows\filehistory, a configuration file obtains which folders the user determined to back up, the user ID that is backing them up, the PC name, the retention policy for saved file history, if set, the frequency to back up (listed in seconds), the target of the backups, including volume path, drive type, and drive letter.

This folder is only present if the file history feature is turned on.

Within the system hive of the registry, under current control set\servers\fhsvc, the File History Service is found.  This key does not provide much information that I have found to be relevant at this point in time.

Within the software key, a new key is present under software\microsoft\windows\currentversion\filehistory.

Log files in windows 8 are stored at root\windows\system32\winevt

The only event log that I have found updated by file history is Microsoft-Windows-FileHistory-Core.  It is updated every 10 minutes, at the same time the file history was backed up on the machine.

http://www.youtube.com/watch?v=M8DyHZpFZnc

There is more to come on this research, so keep checking back here on our blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current day month ye@r *