Windows 8 File History Forensics
The Windows 8 File History Service (fhsvs) gave birth to new forensics i.e. Windows 8 File History Forensics. It defends user inherited System Libraries such as documents, videos, contacts, favourites and pictures from accidental damage by creating a replica of them in a new backup location. By default, this attribute is OFF and to create a backup of user accomplishments, it needs to be turned ON. As a Forensicator, it is essential to recognize that the File History Service creates an abundant artefact on the desktop and selected backup location.
Windows 8 File History Forensics
Under the option of Contol Panel > System & Security > Advanced Setting user can make the changes in the file history of Windows 8. Settings show that it saves all the copies of files every hour, the Size of the Offline cache is 5% of the disk space and the keep saved versions are forever by default.
Location of File History Service (fhsvs): Task Manager > Services >fhsvs
Location of Log Files (fhcfg.dll, fhcpl.dll, fhsvcctl.dll): Computer >Local Disk C > Windows > System 32
During the time of the investigation, Forensicator can extract the crucial artefacts from the File History dossier and Registry key. The File History comprises two folders; Configuration Folder and Data Folder. In configuration folder Catalog#. edb and Config# files were created at the time of backup. The location of File History in Windows 8: –
C:\Users\USERNAME\AppData\Local\Microsoft\Windows\FileHistory
For Windows 8 registry analysis, the File History option should be turned ON. In Windows 8 File History folder is created in registry key at the location: –
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > FileHistory
HKEY_LOCAL_MACHINE > System > Controlset001 > Services > fhsvc
Forensic Analysis of Communication Applications: –
All the version of Microsoft Windows consists of the most crucial evidence that can be used at the time of the forensic investigation. In the same way, Windows 8 file history forensics can be highly useful as it contains highly imperative artefacts in metro applications such as Cache files, cookie files, email files and email directories. An analyst can examine and extract these vital artefacts from user activities. A normal person may not be aware of the same, that’s where these relics are stored.
In Windows 8, Cache Files helps the investigator to view and examine the contact details of the suspect such as emails and social networking sites (Twitter, Facebook, Linkedin), images. And other contact data watched and shared by the person in doubt.
The location of cache file in Windows 8: – C:\Users\UserID\AppData\Local\Packages\Microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
AC\INetCache
Cookies Files help the Forensicators to view the message exchange between the users on emails, Facebook, and Twitter, and it also assists the analysts to examine the email attachments.
C:\Users\UserID\AppData\Local\Packages\Microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
AC\INetCookies
Mail Files contain evidence of user email artefacts such as the ID of the sender, receiver, subject, and body. It has been observed that the users’ Windows live account is the original mail directory path.
C:\Users\UserID\AppData\Local\Packages\Microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
LocalState\Indexed\LiveComm\%randomString%\%randomString\Mail
From the Mail Directory, investigators can examine the multiple files available in the suspect’s email. However, Mail Directory contains different subdirectories that embrace several files with different naming standards.
Carve Evidence From Windows 8 Registry Artifacts
The forensic analysis of the Windows registry is the key fragment of the investigation. The Windows registry is the hierarchical database structure that stores configuration settings and options on the Windows Operating System. So, for investigators, registry work as mining that embraces the enormous amount of crucial data of suspect activities. But the extraction of artefacts from the registry is not easy because of its size and intricate structure. The registry is fragmented into altered files called Hives. During Windows 8 registry analysis, investigators can extract the artefacts from the file history folder that is located in HKU and HKLM keys.
Conclusion
The launch of the new Windows 8 operating system creates a variation and challenges in digital forensics. Forensicator needs to face these challenges with diligence and indulgence. Although, the most throttling barriers faced are the forensic analysis of file history folders, simultaneous registry keys, and other related artefacts. The features of Windows 8 such as exploiting social networking sites, Windows live cloud capabilities, etc., are much more technical as compared to other versions of Windows. The above information will assist the investigator in Windows 8 file history forensics and carving out the artefacts from a suspect system.