ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Bibliography" and "Windows 8"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Evidence Gathering: Added article on methods of retrieving digital evidence.)
 
(New Features)
 
Line 1: Line 1:
=Disk Disposal and Data Recovery=
+
Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.
* [http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf Why SSD Drives Destroy Court Evidence, and What Can Be Done About It] by Oleg Afonin and Yuri Gubanov, 2012
+
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
+
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
+
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
+
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
+
  
<bibtex>
+
== New Features ==
@Article{garfinkel:remembrance,
+
The following new features were introduced in Windows 8:
  author =       "Simson Garfinkel and Abhi Shelat",
+
* [[Windows Shadow Volumes | File History]]
  author_a =       "Simson L. Garfinkel and Abhi Shelat",
+
* [[Windows Storage Spaces | Storage Spaces]]
  title =       "Remembrance of Data Passed",
+
* [[Search Charm History]]
  journal =     "{IEEE} Security and Privacy Magazine",
+
  publisher =    "IEEE",
+
  year      =        "2002",
+
  month    = Jan,
+
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
+
}
+
</bibtex>
+
  
=Evidence Gathering=
+
== File System ==
 +
The file system used by Windows 8 is primarily [[NTFS]].
  
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, 2013
+
The [[Resilient File System (ReFS)]] was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.
* [http://belkasoft.com/download/info/Retrieving%20Digital%20Evidence%20-%20Methods,%20Techniques%20and%20Issues.pdf Retrieving Digital Evidence: Methods, Techniques and Issues] by Yuri Gubanov, 2012
+
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
+
  
=Fake Information=
+
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
  
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
+
== Prefetch ==
 +
The prefetch hash function is similar to [[Windows 2008]].
  
=Feature Extraction and Data Fusion=
+
== Registry ==
Computer Location Determination Through Geoparsing and Geocoding of
+
The [[Windows_Registry|Windows Registry]] remains a core component of the Windows operating system.
Extracted Features
+
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
+
<bibtex>
+
@inproceedings{garfinkel:cda,
+
  title="Forensic feature extraction and cross-drive analysis",
+
  author="Simson Garfinkel",
+
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
+
  address = "Lafayette, Indiana",
+
  journal="Digital Investigation",
+
  year=2006,
+
  month=Aug,
+
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
+
  location="Lafayette, Indiana"
+
}
+
</bibtex>
+
  
=Text Mining=
+
== See Also ==
 +
* [[Windows]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
  
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003  http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
* [http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html indows 8 and 8.1: Search Charm History], by [[Jason Hale]], September 9, 2013
  
=Signed Evidence=
+
[[Category:Operating systems]]
<bibtex>
+
@article{duerr-2004,
+
  title="Information Assurance Applied to Authentication of Digital Evidence",
+
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
+
  year=2004,
+
  journal="Forensic Science Communications",
+
  volume=6,
+
  number=4,
+
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
+
}
+
</bibtex>
+
 
+
 
+
<bibtex>
+
@article{OppligerR03,
+
  author    = {Rolf Oppliger and Ruedi Rytz},
+
  title    = {Digital Evidence: Dream and Reality},
+
  journal  = {IEEE Security {\&} Privacy},
+
  volume    = {1},
+
  number    = {5},
+
  year      = {2003},
+
  pages    = {44-48},
+
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
+
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
+
}
+
</bibtex>
+
 
+
=Theory=
+
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
+
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
+
 
+
=Other Papers=
+
 
+
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
+
 
+
[[Category:Bibliographies]]
+

Revision as of 17:15, 20 October 2013

Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.

New Features

The following new features were introduced in Windows 8:

File System

The file system used by Windows 8 is primarily NTFS.

The Resilient File System (ReFS) was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.

Jump Lists

Jump Lists are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.

Prefetch

The prefetch hash function is similar to Windows 2008.

Registry

The Windows Registry remains a core component of the Windows operating system.

See Also

External Links