SlideShare a Scribd company logo

Windows 8. important considerations for computer forensics and electronic discovery

Yury Chemerkin
Yury Chemerkin
Technology
1 of 14
Download to read offline
1 © 2012 Scarab Acquisition LLC
Introduction Documents identified by computer forensic investigations in civil litigation typically require review and analysis by attorneys to determine if the uncovered evidence could support causes of action such as breach of contract, breach of fiduciary duty, misappropriation of trade secrets, tortious interference, or unfair competition. In addition, bit-for-bit forensic imaging of workstations is also commonly used as an efficient method to quickly gather evidence for further disposition in general commercial litigation matters. For example, instead of relying upon individual custodians to self-select and copy their own files, forensic images of workstations can be accurately filtered down to exclude system files, which only a computer can understand, and identify files which humans do use such as Microsoft Word, Excel, PowerPoint, Adobe PDF files and email. In any of the above situations, be it a trade secrets type matter or a general commercial litigation case, litigants are always highly sensitive to the potential costs associated with attorney review. Now that Microsoft Windows 8 workstations are available for sale and will likely be purchased for use by corporate buyers, civil cases involving the identification and analysis of emails from such machines is a certainty. Recently, excellent computer forensic research on 2 © 2012 Scarab Acquisition LLC
Windows 8 performed by Josh Brunty, Assistant Professor of Digital Forensics at Marshall University revealed that “In addition to Web cache and cookies, user contacts synced from various social media accounts such as Twitter, Facebook, and even e-mail clients such as MS Hotmail are cached with the (sic Windows 8) operating system” (source: http://www.dfinews.com/article/microsoft-windows-8- forensic-first-look?page=0,3). Building on Professor Brunty’s scholarship, I set out to determine the extent, amount, and file formats email communications exist on a Windows 8 machine. In addition, a goal was to identify any potential issues for processing locally stored communications for attorneys review in the discovery phase of civil litigation. As you will see, the format in which Windows 8 stores email locally does in fact present potentially significant challenges to cost effective discovery in both trades secret type matters as well as general commercial litigation cases. Fear not as my conclusion offers some potential solutions as well as other important considerations. 3 © 2012 Scarab Acquisition LLC
Testing My testing was performed on the Release Preview version of Windows 8, so I will be upgrading the subject workstation to the current retail version, re-running my tests and reporting the results in a later publication. 1. Subject Workstation “Laptop”  Manufacturer: Dell Latitude D430  Specifications: Intel Core 2 CPU U7600 @ 1.20GHz / 2.00GB Installed RAM /  OS: Windows 8 Release Preview / Product ID: 00137-11009-99904-AA587  HARD DRIVE: SAMSUNG HS122JC ATA Device / Capacity 114,472 MB 2. Windows 8 Installation The Dell Laptop originally came with Windows XP Professional installed, but I replaced XP with Windows 8 Release Preview (“W8”) using an installation DVD burned from the W8 .ISO file provided by Microsoft’s website. 4 © 2012 Scarab Acquisition LLC
3. Windows 8 Preparation I created a single user account called “User” with a password of “password”. After the W8 initiation phase ended, I was presented with the new “tile” interface, which is much more akin to an iPhone, iPad, Android metaphor. Unfortunately, my Dell laptop did not enjoy a touch screen that would have allowed me to take more advantage of the tiles. Even on this older machine, the built in track pad and other mouse controls all worked perfectly out of the box, so I was able to proceed with installing various communication applications. A. Connecting the Windows 8 laptop to web based accounts On W8’s default new tile screen, there are three key tiles I began with; “People”, “Messaging” and “Mail”. Within the “People” tab, I connected my contacts to my Microsoft, Facebook, LinkedIn and Google accounts. Connecting to these external accounts brought in a flurry of contact profile pictures, email addresses, phone numbers, physical addresses, company name, job title and website from LinkedIn. Interestingly, my own record, “Me”, did not import a profile picture from any of my online accounts, leaving a generic silhouette tile. Perhaps LinkedIn, Gmail and Facebook are excluded from choosing my local Windows 8 profile by Microsoft. I do not have a profile picture associated with my Microsoft Live account, which might be the cause of the missing profile picture. 5 © 2012 Scarab Acquisition LLC
Below is the end-user view under the Windows 8 “Mail” tile showing imported emails from my Google Gmail account:  Inbox: 34  Drafts: 0  Sent items: 15  Outbox: 0  Junk: 0  Deleted items: 22  [Gmail] / All Mail: 34  [Gmail] / Spam: 0  [Gmail] / Starred: 2  [Gmail] / FORENSIC: 1  [Gmail] / Receipts: 0  [Gmail] / Scarab: 2  [Gmail] / Travel: 0 6 © 2012 Scarab Acquisition LLC
4. End User Installed Applications I installed the following four applications on the laptop: Programs recorded by the Control Panel: A. Adobe Flash Player 11 Plugin ver. 11.4.402.287 B. Google Chrome ver. 23.0.1271.64 C. Mozilla Firefox ver. 16.0.2 (x86 en-US) Programs listed under Windows 8’s “Store” tile: A. Tweetro (I did not link to any Twitter account) B. Xbox Live Games (using Microsoft account user name “larry_lieb@yahoo.com”) Using the Chrome browser, I logged into my Google account and installed “Gmail Offline” to see what effect this add-on would have. After installing “Gmail Offline”, the Chrome icon now appears in the system tray by default when viewing the Desktop. I then logged in to a newly created Yahoo account, which I called “larry.lieb@yahoo.com”. I sent and received several emails both two and from my Yahoo/Gmail accounts. While logged into my Yahoo.com email account, I imported contacts from my LinkedIn 7 © 2012 Scarab Acquisition LLC
account. Now that I had created multiple sources of email and instant message correspondences, I set about imaging the laptop. 5. Forensic Imaging I used Forward Discovery’s Raptor 2.5 (http://forwarddiscovery.com/Raptor) installed to a USB flash drive from the Raptor 2.5 .ISO file using Pendrivelinux.com’s free USB Linux tool. I changed the boot order to USB drive first which then caused the laptop to boot the Raptor 2.5 operating system instead of Windows 8. Within Raptor 2.5, I used the Raptor Toolbox to first mount a previously wiped and formatted external Toshiba hard drive, which was connected to the laptop via a USB cable. The total imaging and image verification process took close to eleven hours due to the slow USB connection. The internal Samsung hard drive uses a ZIF zero insertion force connector, so although I may have been able to achieve a faster imaging time using my Tableau ZIF to IDE tool (http://www.tableau.com/index.php?pageid=products&model=TDA5- ZIF), I was loathe to tempt equipment failure as Tableau states, “ZIF connectors are not very robust and they are typically rated for only 20 insertion/removal cycles.” In addition, the Tableau kit only comes factory direct with Toshiba and Hitachi cables, which would not work with the Samsung drive. 8 © 2012 Scarab Acquisition LLC
6. Indexing Using Passmark’s OSForensics ver. 1.2 Build 1003 (64 Bit) on my Digital Intelligence µFred forensic station (http://www.digitalintelligence.com/products/ufred/), I created an index of the Windows 8 files contained within the Raptor 2.5 created Encase evidence files. OSForensics was able to create an index of the entire contents in around one hour. Under OSForensics’ “File Name Search” tab, I ran searches for common email file types. Out of 142,712 total items searched, OSForensics identified: A. 2,204 items using the search string “*.eml” B. 0 items using the search string “*.msg” C. 0 items using the search string “*.pst” D. 0 items using the search string “*.mbox” Using OSForensics “Create Signature” tab, I was able to run and export a Hash value and file list report for the folder “1:UsersUserAppDataLocalPackages”. 9 © 2012 Scarab Acquisition LLC
7. .EML files Using AccessData’s FTK Imager 3.1.1.8, I exported the contents of the folder path, “UsersUserAppDataLocalPackagesmicrosoft.windowscommunicat ionsapps_8wekyb3d8bbweLocalStateIndexedLiveCommlarry_lieb @yahoo.com”. I noticed that there are two interesting folders that might warrant different treatment for electronic discovery projects: A. Location of folder storing .EML files containing email communication: OSForensics found 264 .EML files under the “Mail” folder path: “microsoft.windowscommunicationsapps_8wekyb3d8bbweLocalStat eIndexedLiveCommlarry_lieb@yahoo.com120510-2203Mail” B. Location of folder storing .EML files containing contacts: OSForensics found 1,939 .EML files under the “People” folder path: “microsoft.windowscommunicationsapps_8wekyb3d8bbweLocalStat eIndexedLiveCommlarry_lieb@yahoo.com120510-2203People” 10 © 2012 Scarab Acquisition LLC
C. Location of folder storing my “User” .EML contact file: OSForensics found 1 .EML files under the “microsoft.windowsphotos ..PeopleMe” folder path that contains my “User” profile: “UsersUserAppDataLocalPackagesmicrosoft.windowsphotos_8we kyb3d8bbweLocalStateIndexedLiveCommlarry_lieb@yahoo.com1 20510-2203PeopleMe” 11 © 2012 Scarab Acquisition LLC
Conclusion In electronic discovery projects that utilize forensic imaging tools to capture workstation hard drives, it is common for data filtering to be requested such as D-NIST’ing, file type, key word, date range and de-duplication. Often times, a file type “inclusion” list will be used to identify “user files” for further processing such as Microsoft Word, Excel, Powerpoint, Adobe PDF, and common email file types such as .PST, .MSG., and .EML. Files found in the forensic image(s) will be exported for further processing and review by attorneys. One of the challenges attorneys face in electronic discovery is reasonably keeping costs low by avoiding human review of obviously non-relevant files. However, as Windows 8 appears to be storing contacts from LinkedIn, Gmail, and other sources as .EML files, it is apparent that using file type filtering inclusion lists with .EML as an “include” choice, will bring in many potentially non-relevant files. If an attorney is billing at a rate of $200/hour, and can review fifty documents per hour, then the 1,938 “contact” .EML files alone would require 38.78 hours of attorney review time at a cost to the client of $7,756.00. Therefore, it may make sense for all parties to stipulate that .EML files from the “People” folder be excluded from processing and review unless the hard drive custodian’s contact list is potentially 12 © 2012 Scarab Acquisition LLC
relevant to the underlying matter. In some cases, litigants do not or cannot pay for outside vendor electronic discovery processing fees and will direct their counsel to simply produce their electronically stored information. I advise against this practice as the potential for producing privileged or protected information exists with this approach. A requesting party may also object to the costs de facto shifted to them with this approach. Nonetheless best practices and economic reality do not always mesh. Parties that wish to take this “no attorney review prior to production” approach with evidence gathered from Windows 8 machines may risk over producing the “contact” EML files to their opponent and should consider the risks associated with not allowing a professional to apply filters to their collection upfront. Companies that are planning on purchasing and implementing Windows 8 workstations may want to consider altering their IT policies to prevent employees from linking to personal Gmail, LinkedIn and other web based identities to prevent personal communication from being stored locally. I am uncertain if such an option is available within the administrative portion of the Windows 8 operating system, or if employee handbooks and training alone might be available to stop employees from bringing their home to work. From an ease of trade secrets type computer forensic 13 © 2012 Scarab Acquisition LLC
investigation standpoint, having a suspected former employee’s Gmail communication locally and readily available is excellent; certainly this ease of access is preferable to sending a subpoena to Google to retrieve similar information. However, from this author’s personal experience, general commercial litigation type cases in general vastly outnumber cases involving traditional computer forensic issues. Perhaps companies who take steps to proactively prevent Windows 8 machines in the corporate environment from caching their employee’s personal communication locally may experience significantly less expensive discovery costs in the long run. Acknowledgments 1. David Knutson and Tim Doris of Duff & Phelps for their sage opinions on Linux live CD versus ZIF connector to a hardware write-protection device acquisition approaches. 2. Patrick Murphy and Raechel Marshall of Quarles & Brady for their insight into document production risks. 14 © 2012 Scarab Acquisition LLC

Recommended

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesYury Chemerkin
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Browsers
BrowsersBrowsers
BrowsersRamonMendoza20
 
browsers MEZH
browsers MEZHbrowsers MEZH
browsers MEZHPaula Mogollón García
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 

Recommended

Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesYury Chemerkin
 
AbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-OnsAbusingExploitingAndPWN-ingWithFirefoxAdd-Ons
AbusingExploitingAndPWN-ingWithFirefoxAdd-Onsachettih
 
Browsers
BrowsersBrowsers
BrowsersRamonMendoza20
 
browsers MEZH
browsers MEZHbrowsers MEZH
browsers MEZHPaula Mogollón García
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT SecurityLondon School of Cyber Security
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Facebook Security Essay - Umut Baris Akkaya
Facebook Security Essay - Umut Baris AkkayaFacebook Security Essay - Umut Baris Akkaya
Facebook Security Essay - Umut Baris AkkayaUmut Baris Akkaya
 
La pecera 3
La pecera 3La pecera 3
La pecera 3technoteacher3
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guideYury Chemerkin
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
La Pecera 4
La Pecera 4La Pecera 4
La Pecera 4technoteacher3
 
Ivanti Patch Tuesday for December 2019
Ivanti Patch Tuesday for December 2019Ivanti Patch Tuesday for December 2019
Ivanti Patch Tuesday for December 2019Ivanti
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Time saving technology tips
Time saving technology tipsTime saving technology tips
Time saving technology tipsDelCor Technology Solutions
 
Apps for actuaries junker seac 061611
Apps for actuaries junker seac 061611Apps for actuaries junker seac 061611
Apps for actuaries junker seac 061611Richard Junker
 
Windows 8
Windows 8Windows 8
Windows 8liguad1
 
ICSFTS_Chapter1-8.pdf
ICSFTS_Chapter1-8.pdfICSFTS_Chapter1-8.pdf
ICSFTS_Chapter1-8.pdfCastilloLanz
 
Application Software in Computer and Services.pptx
Application Software in Computer and Services.pptxApplication Software in Computer and Services.pptx
Application Software in Computer and Services.pptxJessaBejer1
 
Google chrome
Google chromeGoogle chrome
Google chromeNayana_Bingi
 
MSHTMHell.pptx
MSHTMHell.pptxMSHTMHell.pptx
MSHTMHell.pptxAustinMartin53
 
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...Co-Operative Systems
 
Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Julie Kwhl
 
What is Application Software?
What is Application Software?What is Application Software?
What is Application Software?DaisyJeffenYRios
 
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEM
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEMTLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEM
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEMizarahmendoza
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost coldfire007
 
QR code workshop 2019
QR code workshop 2019QR code workshop 2019
QR code workshop 2019Paulo Reis
 
Getting Started in Custom Programming for Talent Sourcing
Getting Started in Custom Programming for Talent SourcingGetting Started in Custom Programming for Talent Sourcing
Getting Started in Custom Programming for Talent SourcingGlenn Gutmacher
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paperSravan Reddy
 

More Related Content

What's hot

Facebook Security Essay - Umut Baris Akkaya
Facebook Security Essay - Umut Baris AkkayaFacebook Security Essay - Umut Baris Akkaya
Facebook Security Essay - Umut Baris AkkayaUmut Baris Akkaya
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guideYury Chemerkin
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
Ivanti Patch Tuesday for December 2019
Ivanti Patch Tuesday for December 2019Ivanti Patch Tuesday for December 2019
Ivanti Patch Tuesday for December 2019Ivanti
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Apps for actuaries junker seac 061611
Apps for actuaries junker seac 061611Apps for actuaries junker seac 061611
Apps for actuaries junker seac 061611Richard Junker
 

What's hot (9)

Facebook Security Essay - Umut Baris Akkaya
Facebook Security Essay - Umut Baris AkkayaFacebook Security Essay - Umut Baris Akkaya
Facebook Security Essay - Umut Baris Akkaya
 
La pecera 3
La pecera 3La pecera 3
La pecera 3
 
Social network privacy guide
Social network privacy guideSocial network privacy guide
Social network privacy guide
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing Attacks
 
La Pecera 4
La Pecera 4La Pecera 4
La Pecera 4
 
Ivanti Patch Tuesday for December 2019
Ivanti Patch Tuesday for December 2019Ivanti Patch Tuesday for December 2019
Ivanti Patch Tuesday for December 2019
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Time saving technology tips
Time saving technology tipsTime saving technology tips
Time saving technology tips
 
Apps for actuaries junker seac 061611
Apps for actuaries junker seac 061611Apps for actuaries junker seac 061611
Apps for actuaries junker seac 061611
 

Similar to Windows 8. important considerations for computer forensics and electronic discovery

Windows 8
Windows 8Windows 8
Windows 8liguad1
 
ICSFTS_Chapter1-8.pdf
ICSFTS_Chapter1-8.pdfICSFTS_Chapter1-8.pdf
ICSFTS_Chapter1-8.pdfCastilloLanz
 
Application Software in Computer and Services.pptx
Application Software in Computer and Services.pptxApplication Software in Computer and Services.pptx
Application Software in Computer and Services.pptxJessaBejer1
 
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...Co-Operative Systems
 
Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Julie Kwhl
 
What is Application Software?
What is Application Software?What is Application Software?
What is Application Software?DaisyJeffenYRios
 
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEM
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEMTLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEM
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEMizarahmendoza
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost coldfire007
 
QR code workshop 2019
QR code workshop 2019QR code workshop 2019
QR code workshop 2019Paulo Reis
 
Getting Started in Custom Programming for Talent Sourcing
Getting Started in Custom Programming for Talent SourcingGetting Started in Custom Programming for Talent Sourcing
Getting Started in Custom Programming for Talent SourcingGlenn Gutmacher
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paperSravan Reddy
 
Microsoft SharePoint
Microsoft SharePointMicrosoft SharePoint
Microsoft SharePointUmar Farooq
 
Android task manager project presentation
Android task manager project presentationAndroid task manager project presentation
Android task manager project presentationAkhilesh Jaiswal
 
CSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxCSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxGeraldenHampas2
 

Similar to Windows 8. important considerations for computer forensics and electronic discovery (20)

Windows 8
Windows 8Windows 8
Windows 8
 
ICSFTS_Chapter1-8.pdf
ICSFTS_Chapter1-8.pdfICSFTS_Chapter1-8.pdf
ICSFTS_Chapter1-8.pdf
 
Application Software in Computer and Services.pptx
Application Software in Computer and Services.pptxApplication Software in Computer and Services.pptx
Application Software in Computer and Services.pptx
 
Google chrome
Google chromeGoogle chrome
Google chrome
 
MSHTMHell.pptx
MSHTMHell.pptxMSHTMHell.pptx
MSHTMHell.pptx
 
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...
Infobulletin Oct14 - Smartwatches watching you?, Blanket Wi-Fi, Tether your p...
 
Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...Operating System Upgrade Implementation Report And...
Operating System Upgrade Implementation Report And...
 
What is Application Software?
What is Application Software?What is Application Software?
What is Application Software?
 
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEM
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEMTLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEM
TLE-ICT COMPUTER SYSTEMS SERVICING DIAGNOSING COMPUTER SYSTEM
 
How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost How to get genuine windows 7 with low cost
How to get genuine windows 7 with low cost
 
QR code workshop 2019
QR code workshop 2019QR code workshop 2019
QR code workshop 2019
 
Getting Started in Custom Programming for Talent Sourcing
Getting Started in Custom Programming for Talent SourcingGetting Started in Custom Programming for Talent Sourcing
Getting Started in Custom Programming for Talent Sourcing
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paper
 
Introduction to Android Environment
Introduction to Android EnvironmentIntroduction to Android Environment
Introduction to Android Environment
 
Jigyanshu
JigyanshuJigyanshu
Jigyanshu
 
Microsoft SharePoint
Microsoft SharePointMicrosoft SharePoint
Microsoft SharePoint
 
Android task manager project presentation
Android task manager project presentationAndroid task manager project presentation
Android task manager project presentation
 
CSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptxCSS G11 - Set 4 (CMC 2 - Part 2).pptx
CSS G11 - Set 4 (CMC 2 - Part 2).pptx
 
Windows8
Windows8Windows8
Windows8
 
Presentation
PresentationPresentation
Presentation
 

More from Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 

More from Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 

Recently uploaded

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Windows 8. important considerations for computer forensics and electronic discovery

  • 1. 1 © 2012 Scarab Acquisition LLC
  • 2. Introduction Documents identified by computer forensic investigations in civil litigation typically require review and analysis by attorneys to determine if the uncovered evidence could support causes of action such as breach of contract, breach of fiduciary duty, misappropriation of trade secrets, tortious interference, or unfair competition. In addition, bit-for-bit forensic imaging of workstations is also commonly used as an efficient method to quickly gather evidence for further disposition in general commercial litigation matters. For example, instead of relying upon individual custodians to self-select and copy their own files, forensic images of workstations can be accurately filtered down to exclude system files, which only a computer can understand, and identify files which humans do use such as Microsoft Word, Excel, PowerPoint, Adobe PDF files and email. In any of the above situations, be it a trade secrets type matter or a general commercial litigation case, litigants are always highly sensitive to the potential costs associated with attorney review. Now that Microsoft Windows 8 workstations are available for sale and will likely be purchased for use by corporate buyers, civil cases involving the identification and analysis of emails from such machines is a certainty. Recently, excellent computer forensic research on 2 © 2012 Scarab Acquisition LLC
  • 3. Windows 8 performed by Josh Brunty, Assistant Professor of Digital Forensics at Marshall University revealed that “In addition to Web cache and cookies, user contacts synced from various social media accounts such as Twitter, Facebook, and even e-mail clients such as MS Hotmail are cached with the (sic Windows 8) operating system” (source: http://www.dfinews.com/article/microsoft-windows-8- forensic-first-look?page=0,3). Building on Professor Brunty’s scholarship, I set out to determine the extent, amount, and file formats email communications exist on a Windows 8 machine. In addition, a goal was to identify any potential issues for processing locally stored communications for attorneys review in the discovery phase of civil litigation. As you will see, the format in which Windows 8 stores email locally does in fact present potentially significant challenges to cost effective discovery in both trades secret type matters as well as general commercial litigation cases. Fear not as my conclusion offers some potential solutions as well as other important considerations. 3 © 2012 Scarab Acquisition LLC
  • 4. Testing My testing was performed on the Release Preview version of Windows 8, so I will be upgrading the subject workstation to the current retail version, re-running my tests and reporting the results in a later publication. 1. Subject Workstation “Laptop”  Manufacturer: Dell Latitude D430  Specifications: Intel Core 2 CPU U7600 @ 1.20GHz / 2.00GB Installed RAM /  OS: Windows 8 Release Preview / Product ID: 00137-11009-99904-AA587  HARD DRIVE: SAMSUNG HS122JC ATA Device / Capacity 114,472 MB 2. Windows 8 Installation The Dell Laptop originally came with Windows XP Professional installed, but I replaced XP with Windows 8 Release Preview (“W8”) using an installation DVD burned from the W8 .ISO file provided by Microsoft’s website. 4 © 2012 Scarab Acquisition LLC
  • 5. 3. Windows 8 Preparation I created a single user account called “User” with a password of “password”. After the W8 initiation phase ended, I was presented with the new “tile” interface, which is much more akin to an iPhone, iPad, Android metaphor. Unfortunately, my Dell laptop did not enjoy a touch screen that would have allowed me to take more advantage of the tiles. Even on this older machine, the built in track pad and other mouse controls all worked perfectly out of the box, so I was able to proceed with installing various communication applications. A. Connecting the Windows 8 laptop to web based accounts On W8’s default new tile screen, there are three key tiles I began with; “People”, “Messaging” and “Mail”. Within the “People” tab, I connected my contacts to my Microsoft, Facebook, LinkedIn and Google accounts. Connecting to these external accounts brought in a flurry of contact profile pictures, email addresses, phone numbers, physical addresses, company name, job title and website from LinkedIn. Interestingly, my own record, “Me”, did not import a profile picture from any of my online accounts, leaving a generic silhouette tile. Perhaps LinkedIn, Gmail and Facebook are excluded from choosing my local Windows 8 profile by Microsoft. I do not have a profile picture associated with my Microsoft Live account, which might be the cause of the missing profile picture. 5 © 2012 Scarab Acquisition LLC
  • 6. Below is the end-user view under the Windows 8 “Mail” tile showing imported emails from my Google Gmail account:  Inbox: 34  Drafts: 0  Sent items: 15  Outbox: 0  Junk: 0  Deleted items: 22  [Gmail] / All Mail: 34  [Gmail] / Spam: 0  [Gmail] / Starred: 2  [Gmail] / FORENSIC: 1  [Gmail] / Receipts: 0  [Gmail] / Scarab: 2  [Gmail] / Travel: 0 6 © 2012 Scarab Acquisition LLC
  • 7. 4. End User Installed Applications I installed the following four applications on the laptop: Programs recorded by the Control Panel: A. Adobe Flash Player 11 Plugin ver. 11.4.402.287 B. Google Chrome ver. 23.0.1271.64 C. Mozilla Firefox ver. 16.0.2 (x86 en-US) Programs listed under Windows 8’s “Store” tile: A. Tweetro (I did not link to any Twitter account) B. Xbox Live Games (using Microsoft account user name “larry_lieb@yahoo.com”) Using the Chrome browser, I logged into my Google account and installed “Gmail Offline” to see what effect this add-on would have. After installing “Gmail Offline”, the Chrome icon now appears in the system tray by default when viewing the Desktop. I then logged in to a newly created Yahoo account, which I called “larry.lieb@yahoo.com”. I sent and received several emails both two and from my Yahoo/Gmail accounts. While logged into my Yahoo.com email account, I imported contacts from my LinkedIn 7 © 2012 Scarab Acquisition LLC
  • 8. account. Now that I had created multiple sources of email and instant message correspondences, I set about imaging the laptop. 5. Forensic Imaging I used Forward Discovery’s Raptor 2.5 (http://forwarddiscovery.com/Raptor) installed to a USB flash drive from the Raptor 2.5 .ISO file using Pendrivelinux.com’s free USB Linux tool. I changed the boot order to USB drive first which then caused the laptop to boot the Raptor 2.5 operating system instead of Windows 8. Within Raptor 2.5, I used the Raptor Toolbox to first mount a previously wiped and formatted external Toshiba hard drive, which was connected to the laptop via a USB cable. The total imaging and image verification process took close to eleven hours due to the slow USB connection. The internal Samsung hard drive uses a ZIF zero insertion force connector, so although I may have been able to achieve a faster imaging time using my Tableau ZIF to IDE tool (http://www.tableau.com/index.php?pageid=products&model=TDA5- ZIF), I was loathe to tempt equipment failure as Tableau states, “ZIF connectors are not very robust and they are typically rated for only 20 insertion/removal cycles.” In addition, the Tableau kit only comes factory direct with Toshiba and Hitachi cables, which would not work with the Samsung drive. 8 © 2012 Scarab Acquisition LLC
  • 9. 6. Indexing Using Passmark’s OSForensics ver. 1.2 Build 1003 (64 Bit) on my Digital Intelligence µFred forensic station (http://www.digitalintelligence.com/products/ufred/), I created an index of the Windows 8 files contained within the Raptor 2.5 created Encase evidence files. OSForensics was able to create an index of the entire contents in around one hour. Under OSForensics’ “File Name Search” tab, I ran searches for common email file types. Out of 142,712 total items searched, OSForensics identified: A. 2,204 items using the search string “*.eml” B. 0 items using the search string “*.msg” C. 0 items using the search string “*.pst” D. 0 items using the search string “*.mbox” Using OSForensics “Create Signature” tab, I was able to run and export a Hash value and file list report for the folder “1:UsersUserAppDataLocalPackages”. 9 © 2012 Scarab Acquisition LLC
  • 10. 7. .EML files Using AccessData’s FTK Imager 3.1.1.8, I exported the contents of the folder path, “UsersUserAppDataLocalPackagesmicrosoft.windowscommunicat ionsapps_8wekyb3d8bbweLocalStateIndexedLiveCommlarry_lieb @yahoo.com”. I noticed that there are two interesting folders that might warrant different treatment for electronic discovery projects: A. Location of folder storing .EML files containing email communication: OSForensics found 264 .EML files under the “Mail” folder path: “microsoft.windowscommunicationsapps_8wekyb3d8bbweLocalStat eIndexedLiveCommlarry_lieb@yahoo.com120510-2203Mail” B. Location of folder storing .EML files containing contacts: OSForensics found 1,939 .EML files under the “People” folder path: “microsoft.windowscommunicationsapps_8wekyb3d8bbweLocalStat eIndexedLiveCommlarry_lieb@yahoo.com120510-2203People” 10 © 2012 Scarab Acquisition LLC
  • 11. C. Location of folder storing my “User” .EML contact file: OSForensics found 1 .EML files under the “microsoft.windowsphotos ..PeopleMe” folder path that contains my “User” profile: “UsersUserAppDataLocalPackagesmicrosoft.windowsphotos_8we kyb3d8bbweLocalStateIndexedLiveCommlarry_lieb@yahoo.com1 20510-2203PeopleMe” 11 © 2012 Scarab Acquisition LLC
  • 12. Conclusion In electronic discovery projects that utilize forensic imaging tools to capture workstation hard drives, it is common for data filtering to be requested such as D-NIST’ing, file type, key word, date range and de-duplication. Often times, a file type “inclusion” list will be used to identify “user files” for further processing such as Microsoft Word, Excel, Powerpoint, Adobe PDF, and common email file types such as .PST, .MSG., and .EML. Files found in the forensic image(s) will be exported for further processing and review by attorneys. One of the challenges attorneys face in electronic discovery is reasonably keeping costs low by avoiding human review of obviously non-relevant files. However, as Windows 8 appears to be storing contacts from LinkedIn, Gmail, and other sources as .EML files, it is apparent that using file type filtering inclusion lists with .EML as an “include” choice, will bring in many potentially non-relevant files. If an attorney is billing at a rate of $200/hour, and can review fifty documents per hour, then the 1,938 “contact” .EML files alone would require 38.78 hours of attorney review time at a cost to the client of $7,756.00. Therefore, it may make sense for all parties to stipulate that .EML files from the “People” folder be excluded from processing and review unless the hard drive custodian’s contact list is potentially 12 © 2012 Scarab Acquisition LLC
  • 13. relevant to the underlying matter. In some cases, litigants do not or cannot pay for outside vendor electronic discovery processing fees and will direct their counsel to simply produce their electronically stored information. I advise against this practice as the potential for producing privileged or protected information exists with this approach. A requesting party may also object to the costs de facto shifted to them with this approach. Nonetheless best practices and economic reality do not always mesh. Parties that wish to take this “no attorney review prior to production” approach with evidence gathered from Windows 8 machines may risk over producing the “contact” EML files to their opponent and should consider the risks associated with not allowing a professional to apply filters to their collection upfront. Companies that are planning on purchasing and implementing Windows 8 workstations may want to consider altering their IT policies to prevent employees from linking to personal Gmail, LinkedIn and other web based identities to prevent personal communication from being stored locally. I am uncertain if such an option is available within the administrative portion of the Windows 8 operating system, or if employee handbooks and training alone might be available to stop employees from bringing their home to work. From an ease of trade secrets type computer forensic 13 © 2012 Scarab Acquisition LLC
  • 14. investigation standpoint, having a suspected former employee’s Gmail communication locally and readily available is excellent; certainly this ease of access is preferable to sending a subpoena to Google to retrieve similar information. However, from this author’s personal experience, general commercial litigation type cases in general vastly outnumber cases involving traditional computer forensic issues. Perhaps companies who take steps to proactively prevent Windows 8 machines in the corporate environment from caching their employee’s personal communication locally may experience significantly less expensive discovery costs in the long run. Acknowledgments 1. David Knutson and Tim Doris of Duff & Phelps for their sage opinions on Linux live CD versus ZIF connector to a hardware write-protection device acquisition approaches. 2. Patrick Murphy and Raechel Marshall of Quarles & Brady for their insight into document production risks. 14 © 2012 Scarab Acquisition LLC