Wednesday, July 3, 2013

Windows 8 Thesis DRAFT

This has been a little over a year coming, while I have enjoyed everything I have learned on this topic I have until the end of the month to finish it up and submit it for graduation. Feedback on what I might be missing or things that I need to clarify would be great.


One of the most difficult processes of digital forensics is understanding how new technology interacts with current technology and how digital forensic analysts can utilize current Digital Forensics technologies and processes to recover and find information hidden. Microsoft has released their new Operating System Windows 8, with this new release Microsoft has added some features to the Operating System that will present some interesting complications to digital forensics.

               Since the initial release of the Windows 8 Release Candidates there have been some research released that focus primarily on the new user created artifacts and a few artifacts that have been added by the operating system that might contain valuable information. In this paper I will look at the new recovery options that have been introduced in Windows 8, and the impact that have on the artifacts.

               The first thing that I plan to look at is the artifacts discovered by the research of Amanda Thomson. Once I have analyzed these artifacts and then verify the locations on the disk I will create a baseline dataset to compare the impact of the recovery options on these artifacts. I will also use artifacts of new features that I have researched for this baseline.

               The second thing that I will look at is how the various recovery options impact the artifacts that are found on the operating system. This will be done by installing Windows 8 in a Virtual Machine environment and taking snapshots of a base image and then utilizing the various recovery methods. Once the recovery method has been successful I will take the Virtual Machine and mount it into FTK and Encase for analysis.

               The final thing that I will include in this paper is a detailed walk through on where the artifacts will reside on the machine after a recover option has been completed. I will examine the locations on a live machine as well as on a forensic copy. I will show what artifacts are easily recoverable, what artifacts need a little time to recovery and what artifacts that will not be recoverable. 

My Thesis


  1. Thanks for making this available. I look forward to reading it...

  2. Ken,

    I've been reading your Windows 8 work since it was initially released, as I have also been a big fan of doing Windows 8 research. I am very much looking forward to the final product from this.

    Are you diving into Windows 8.1 at all? That's going to be the next big step for me. I want to take a quick look back at all my previous work and see if anything new is coming up with the new release, and move into more from there.

    Either way, great work!

  3. Ethan,

    I do have plans to look at 8.1 at some point in the near future. Right now I am looking at the Thorough Reset option and trying to figure out if there is a pattern to the wipe.

  4. Good work Ken. I'm looking forward to seeing what you find on how Win8 handles some of the file recovery and file history functions. have you started up any research on ReFS artifacts yet? I'm interested to see what it has in store from a forensic perspective.

  5. This is very fine work, Ken. Thanks for sharing it!

  6. This is a very timely thesis, since people are having mixed critiques about Windows 8. This is one of the thesis ideas that I look forward to reading. Thanks for sharing this!