Tuesday, January 8, 2013

My Windows 8 DFIR Reading List

Below is my reading list for Windows 8 DFIR. I suspect it’s only a matter of time until everyone sees a hard drive with Windows 8. If you have any other resources to add to the list, feel free to drop a comment and I'll add it to the list.

Windows 8: Important Considerations for Computer Forensics and Electronic Discovery

http://articles.forensicfocus.com/2012/12/09/windows-8-important-considerations-for-computer-forensics-and-electronic-discovery/

Windows 8 Forensics - A First Look (ForensicFocusVideos)

https://www.youtube.com/watch?v=uhCooEz9FQs

Forensic Artifact: Malware Analysis in Windows 8

http://resources.infosecinstitute.com/forensic-analysis-windows-8/

Windows 8 Forensics: USB Activity

http://www.infosecisland.com/blogview/22235-Windows-8-Forensics-USB-Activity.html

Champlain College Windows 8 Forensics 3 Part Series

http://computerforensics.champlain.edu/blog/windows-8-forensics

http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2

http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3

Windows 8 Forensics: Reset and Refresh Artifacts

http://cyberarms.wordpress.com/2012/08/30/windows-8-forensics-reset-and-refresh-artifacts/

Windows 8 Forensic Guide

http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf

Ken Johnson's Research

https://computer-forensics.sans.org/summit-archives/2012/windows-8-recovery-forensics-understanding-the-three-rs.pdf

http://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html

http://randomthoughtsofforensics.blogspot.com/2012/06/windows-8-forensic-file-history.html

http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html

12 comments:

  1. Thanks for the addition of my Sans Preso, but you might find more information at one of the following:

    http://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html

    http://randomthoughtsofforensics.blogspot.com/2012/06/windows-8-forensic-file-history.html

    http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html

    ReplyDelete
  2. David,

    Thanks for sharing this list. I've seen or read just about all of them, including Ken's great presentation on File History. Ken thoughtfully created a RegRipper plugin just for that artifact.

    While somethings haven't changed (Registry structure, Jump Lists, etc.), I think it's important to note that Windows 8 was designed for touch-screen interfaces; as such, this is something that a lot of folks are going to encounter.

    ReplyDelete
  3. David,

    There's a few more posts that I made that used to be on Champlain's blog but I think may have gotten lost in some crossfire somewhere, either way, theyre posted on my personal blog now too. There's an in-depth look at the Reset/Refresh functions and artifacts left over, as well as a much deeper look at WebCachev24.dat IE10 files.

    http://dig4n6.blogspot.com/2012/08/windows-8-reset-and-refresh-artifacts.html

    http://dig4n6.blogspot.com/2012/07/attacking-webcachev24-with-esedbviewer.html

    ReplyDelete
  4. is amazing post, Thank you for presenting a wide variety of information that is very interesting to see in this artikle


    tour karimunjawa
    and toko furniture
    or toko mebel
    and tenun troso

    ReplyDelete