Tuesday, June 12, 2012
Windows 8 Forensic - File History
This research ties in with the Sans Webcast here.
With the release of Microsoft’s new Operating System Windows 8, they have introduced a few new features that increase the capabilities of the operating system storage and backup offerings. In this article I will be covering the File History Services and its capabilities.
According to Microsoft, File History Service (fhsvc) is used to protect user files from accidental loss by copying them to a backup location. File History Service is not enabled for any user by default, but upon connecting a removable media device, you will get an option to use this device as a backup location. Since File History Services is configurable by each user, it is enabled on a user by user instance. At the default level File History service will automatically protect the Default System Libraries (Music, Documents, Videos and Pictures), Files on the Desktop, Contacts and users favorites. Users can also create new libraries to include in the backup solution, or exclude currently backed up libraries from future backups.
When the File History Service is enabled numerous artifacts are created on both the local machine, and the target backup location. These artifacts include Event Logs, Registry settings, configuration files and incremental file backups in the target directory.
Some limitations of the File History Service is that the backups are not at block-level and do to the way that it handles login credentials it is unable to backup EFS files. The service itself runs as in the background as a local service using the local user credentials.  It is because the service runs as a local user account that each user must set up their custom configuration to File History.
The rest of the research can be found here.
RegRipper Plugin for the HKU FileHistory Key is here.