CHALLENGES IN WINDOWS 8 OPERATING SYSTEM FOR DIGITAL FORENSIC INVESTIGATIONS TINGTING GOH, BBus A thesis submitted to the Faculty of Design and Creative Technologies Auckland University of Technology in partial fulfilment of the requirements for degree of Masters of Forensic Information Technology School of Computer and Mathematical Sciences Auckland, New Zealand 2014 i Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previous published of written by another person nor material which to a substantial extent has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. _________________ TingTing Goh ii Acknowledgements This thesis was completed at the Faculty of Design and Creative Technologies in the School of Computing and Mathematical Sciences at Auckland University of Technology, New Zealand. During the course of this research project, I have received support and advice from many people in one way or another. I would like to thank my family, friends and colleagues for providing support and encouragement when working on the thesis as well as throughout my entire post graduate study. I would also like to thanks my thesis supervisor Professor Brian Cusack for his guidance throughout the thesis project. Also the assistance from several proof readers is acknowledged. iii Abstract Windows 8 was released in October 2012 and was followed by Windows 8.1 in October 2013. It was hypothesised that the improvements in Windows 8 and new features of Windows 8 may cause new challenges to Digital Forensic investigation. Similarly, the forensic techniques that worked perfectly on the past version of Windows might require changes when dealing with a Windows 8 machine. The objective of the research was hence to find out the investigation challenges of the new features in Windows 8 that could impact on the Digital Forensic investigation process. The research focuses on the Digital Forensic investigation process gap when dealing with the new version of the operating system. The research first started by reviewing the past Windows platforms with a focus on comparing Windows 7 and Windows 8 to identify the differences. Digital Forensic areas such as Digital Forensic tools and existing Digital Forensic model were also explored. The problem areas related to Digital Forensic techniques, Windows 8 Digital Forensic issues, and Windows 8 features issues were identified. The reviews were narrowed down to review the gap in research in one area. Then the main research question and sub questions for the research were constructed. The main questions chosen for the research was “What new features in Windows 8 Operating System pose new challenges to the Digital Forensic investigation?” The hypotheses of the research were also defined for testing before the methodology was introduced in order to conduct the experiments to answer the research question and also test the hypothesis. The research phases followed the six phases “Preparation, Incident Response, Data Collection, Data Analysis, the Report and Incident Closure”. Each of the phases was recorded and the results of the findings were used to assist in answering the research questions. Based on the findings, the three new features in Windows 8 of significance were the secure boot, after reset option and communication applications. These features, in Windows 8 were found to bring new challenges for Digital Forensic investigations. iv Table of Contents Formalities Declaration ........................................................................................................... i Acknowledgements ............................................................................................. ii Abstract .............................................................................................................. iii Table of Contents ............................................................................................... iv List of Tables ...................................................................................................... x List of Figures ................................................................................................... xii Chapter 1 – Introduction 1.0 INTRODUCTION .................................................................................... 1 1.1 PROBLEM AREAS ................................................................................. 2 1.2 MOTIVATION ........................................................................................ 3 1.3 STRUCTURE OF THE THESIS .............................................................. 5 Chapter 2 – Literature Review 2.0 INTRODUCTION .................................................................................... 8 2.1 REVIEW OF WINDOWS 7 RESEARCH ................................................ 9 2.1.1. History of Windows Platform ............................................................ 9 2.1.2. Review of Windows 7 Platform ....................................................... 11 2.1.3. Forensic Benefits Areas in Windows 7............................................. 12 2.1.4. Forensic Problems Areas in Windows 7 ........................................... 14 2.2 REVIEW OF WINDOWS 8 RESEARCH .............................................. 16 2.2.1. Windows 8 Consumer Review ......................................................... 17 2.2.2. Windows 8 Consumer Review Advantages ...................................... 17 2.2.3. Windows 8 Consumer Review Disadvantages.................................. 18 2.2.4. Differences Between Windows 7 and Windows 8 ............................ 19 2.3 WINDOWS 8 NEW FEATURES ........................................................... 20 v 2.3.1. Language and Standards Support ..................................................... 20 2.3.2. Windows Store ................................................................................ 21 2.3.3. User Login ....................................................................................... 22 2.3.4. Microsoft Account Integration ......................................................... 22 2.3.5. File Explorer .................................................................................... 23 2.3.6. Internet Explorer .............................................................................. 23 2.3.7. Task Manager .................................................................................. 24 2.3.8. File History...................................................................................... 26 2.3.9. Hardware Support ............................................................................ 27 2.3.10. Hybrid Boot ..................................................................................... 28 2.3.11. Installation ....................................................................................... 29 2.3.12. Networking ...................................................................................... 29 2.3.13. Repair Recovery .............................................................................. 30 2.3.14. Security ........................................................................................... 32 2.3.15. Video Subsystem ............................................................................. 33 2.3.16. Windows To Go .............................................................................. 33 2.3.17. Hyper-V .......................................................................................... 34 2.3.18. Storage Spaces ................................................................................. 34 2.4 WINDOWS 8 FORENSIC RESEARCH................................................. 35 2.4.1. Windows 8 Forensic Professionals Review ...................................... 35 2.4.2. Windows 8 Digital Forensic Investigation Process ........................... 37 2.4.3. Windows 8 Forensic Tools and Techniques ..................................... 40 2.5 EXISTING DIGITAL FORENSIC MODEL........................................... 42 2.6 LATEST DEVELOPMENT IN WINDOWS 8 OPERATING SYSTEM. 45 2.7 CONCLUSION ...................................................................................... 46 Chapter 3 – Methodology 3.0 INTRODUCTION .................................................................................. 48 3.1 REVIEW OF ISSUES AND PROBLEMS .............................................. 50 3.1.1. Review Past Windows Platform Digital Forensic Issues And Problems ................................................................................................ 50 3.1.2. Review of Current Windows 8 Issues And Problems ....................... 54 vi 3.1.3. Review of Windows 8 Digital Forensic Issues And Problems .......... 57 3.1.4. Review of Windows 8 New Features Issues and Problems ............... 59 3.2 SELECTION OF RESEARCH PROBLEM ............................................ 60 3.2.1. Relevance Past Windows Platform Issues And Problems ................. 61 3.2.2. Relevance Current Issues And Problems in Windows 8 ................... 63 3.2.3. Relevance Windows 8 Digital Forensic Issue And Problems ............ 64 3.2.4. Relevance Issues And Problems In Windows 8 New Features .......... 65 3.3 RESEARCH QUESTION AND HYPOTHESIS ..................................... 65 3.3.1. Review of Challenges in Windows 8 New Features For Digital