Below is my reading list for Windows 8 DFIR. I suspect it’s only a matter of time until everyone sees a hard drive with Windows 8. If you have any other resources to add to the list, feel free to drop a comment and I'll add it to the list.
Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
http://articles.forensicfocus.com/2012/12/09/windows-8-important-considerations-for-computer-forensics-and-electronic-discovery/
Windows 8 Forensics - A First Look (ForensicFocusVideos)
https://www.youtube.com/watch?v=uhCooEz9FQs
Forensic Artifact: Malware Analysis in Windows 8
http://resources.infosecinstitute.com/forensic-analysis-windows-8/
Windows 8 Forensics: USB Activity
http://www.infosecisland.com/blogview/22235-Windows-8-Forensics-USB-Activity.html
Champlain College Windows 8 Forensics 3 Part Series
http://computerforensics.champlain.edu/blog/windows-8-forensics
http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2
http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3
Windows 8 Forensics: Reset and Refresh Artifacts
http://cyberarms.wordpress.com/2012/08/30/windows-8-forensics-reset-and-refresh-artifacts/
Windows 8 Forensic Guide
http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf
Ken Johnson's Research
https://computer-forensics.sans.org/summit-archives/2012/windows-8-recovery-forensics-understanding-the-three-rs.pdf
http://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html
http://randomthoughtsofforensics.blogspot.com/2012/06/windows-8-forensic-file-history.html
http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html
Thanks for the addition of my Sans Preso, but you might find more information at one of the following:
ReplyDeletehttp://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html
http://randomthoughtsofforensics.blogspot.com/2012/06/windows-8-forensic-file-history.html
http://randomthoughtsofforensics.blogspot.com/2012/07/trouble-with-typedurlstime.html
David,
ReplyDeleteThanks for sharing this list. I've seen or read just about all of them, including Ken's great presentation on File History. Ken thoughtfully created a RegRipper plugin just for that artifact.
While somethings haven't changed (Registry structure, Jump Lists, etc.), I think it's important to note that Windows 8 was designed for touch-screen interfaces; as such, this is something that a lot of folks are going to encounter.
David,
ReplyDeleteThere's a few more posts that I made that used to be on Champlain's blog but I think may have gotten lost in some crossfire somewhere, either way, theyre posted on my personal blog now too. There's an in-depth look at the Reset/Refresh functions and artifacts left over, as well as a much deeper look at WebCachev24.dat IE10 files.
http://dig4n6.blogspot.com/2012/08/windows-8-reset-and-refresh-artifacts.html
http://dig4n6.blogspot.com/2012/07/attacking-webcachev24-with-esedbviewer.html
thanks
ReplyDeletehere is a hotel you wouldn't want to stay at and why Inverrary Vacation Resort
ReplyDeleteHealth Code Violations Rodent Droppings in Food prep sink
posted by
Hypnosis.mn
post is information filled
ReplyDeleteposted by
lose weight hypnosis
here is a hotel you wouldn't want to stay at and why Inverrary Vacation Resort
ReplyDeleteHealth Code Violations Rodent Droppings in Food prep sink
posted by
penis enlargement hynosis
here is a hotel you wouldn't want to stay at and why Inverrary Vacation Resort
ReplyDeleteHealth Code Violations Rodent Droppings in Food prep sink
posted by
penis enlargement hypnosis
Facebook page for hotel you wouldn't want to stay at and why Inverrary Vacation Resort Health Code Violations Rodent Droppings in
Food prep sink
posted by Lose Weight Hypnosis
posted by
Make Money With Blogs
Iphone Case Company
Article Submission site build links
ReplyDelete