Windows 8 File History Forensics
The Windows 8 File History Service (fhsvs) gave birth to new forensic i.e. Windows 8 File History Forensics. It defends user inherited System Libraries such as documents, videos, contacts, favorites and pictures from accidental damage by creating a replica of them to a new backup location. By default, this attribute is OFF and to create a backup of user accomplishments, it needs to be turned ON. As a Forensicator, it is essential to recognize that the File History Service creates an abundant artifact on the desktop and selected backup location.
Windows 8 File History Forensics
Under the option of Contol Panel > System & Security > Advanced Setting user can make the changes in the file history of Windows 8. Settings show that it saves all the copies of files in every hour, Size of Offline cache is 5% of the disk space and the keep saved versions is forever by default.
Location of File History Service (fhsvs): Task Manager > Services >fhsvs
Location of Log Files (fhcfg.dll, fhcpl.dll, fhsvcctl.dll): Computer >Local Disk C > Windows > System 32
During the time of the investigation, Forensicator can extract the crucial artifacts from the File History dossier and Registry key. The File History comprises of two folders; Configuration Folder and Data Folder. In configuration folder Catalog#. edb and Config# files were created at the time of backup. The location of File History in Windows 8: –
For Windows 8 registry analysis, the File History option should be turned ON. In Windows 8 File History folder is created in registry key at the location: –
HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > FileHistory
HKEY_LOCAL_MACHINE > System > Controlset001 > Services > fhsvc
Forensic Analysis of Communication Applications: –
All the version of Microsoft Windows consists the most crucial evidence that can be used at the time of the forensic investigation. In the same way, Windows 8 file history forensics can be highly useful as it contains highly imperative artifacts in metro applications such as Cache files, cookie files, email files and email directories. An analyst can examine and extract these vital artifacts from user activities, a normal person may not be aware of the same, that’s where these relics are stored.
In Windows 8, Cache Files helps the investigator to view and examine contact details of the suspect such as emails and social networking sites (Twitter, Facebook, Linkedin), images and other contact data watched and shared by the person in doubt.
The location of cache file in Windows 8: – C:\Users\UserID\AppData\Local\Packages\Microsoft.windowscommunicationsapps_8wekyb3d8bbwe\
Cookies Files helps the Forensicators to view the message exchange between the users on emails, Facebook, Twitter, and it also assists the analysts to examine the email attachments.
Mail Files contains the evidence of user email artifacts such as ID of the sender, receiver, subject, and body. It has been observed that the users’ Windows live account is the original mail directory path.
From the Mail Directory, investigators can examine the multiple files available in the suspect email. Mail Directory contains different subdirectories that embrace several files with the different naming standard.
Carve Evidence From Windows 8 Registry Artifacts
The forensic analysis of Windows registry is the key fragment of the investigation. The Windows registry is the hierarchical database structure that stores configuration settings and options on the Windows Operating System. For investigators, registry work as a mining that embraces the enormous amount of crucial data of suspect activities. But the extraction of artifacts from the registry is not easy because of its size and intricate structure. The registry is fragmented into altered files called Hives. During Windows 8 registry analysis, investigators can extract the artifacts from the file history folder that is located in HKU and HKLM keys.
The launch of new Windows 8 operating system creates a variation and challenges in digital forensics. Forensicator needs to face these challenges with diligence and indulgence. The most throttling barriers faced are the forensic analysis of file history folder, simultaneous registry keys, and other related artifacts. The features of Windows 8 such as exploiting of social networking sites, Windows live cloud capabilities, etc., are much technical as compared to other versions of Windows. The above information will assist the investigator in Windows 8 file history forensics and carving out the artifacts from a suspect system.