-
Nasa Quba & Kausar Khizra – Windows 8 File History Analysis
Bio
Nasa Quba is a forensic consultant and a blogger. She received her B.S. degree in Telecommunication Engineering and a M.S. in Digital Forensics from University of Central Florida, Orlando. She spent more than 2 years working as a VoIP engineer in a telecom company. She is an AccessData Certified Examiner (ACE), AccessData Mobile Examiner (AME) and CompTIA Security Certified (Security+). She conducted a research on Windows 8 Touch Forensics, which studies various touch artifacts and developed a tool to view handwriting ink data stored in ISF format. She co-authored and published several forensic articles online; namely, Man In The Middle Attack: Forensics, Windows 8 File History Analysis, From iPhone to Access Point. She is a member of Golden Key International Honour Society and The Honor Society of Phi Kappa Phi.
Kausar Khizra is a highly motivated computer forensic professional. She is AccessData Certified Examiner (ACE) and AccessData Mobile Examiner (AME) and Security+ certified. Currently, working as a Computer Forensic Consultant at Kyrus Tech, Inc. She is also a member of UCF Collegiate Cyber Defense Club and a blogger at Forensic Focus.
Abstract
File History is a new backup service introduced in Windows 8. This new feature is based on the idea of tracing USN journal to keep a record of older versions of files. The purpose of this research is to reinforce the importance of File History examination; analysis of different artifacts and co-relating them to connect the dots. It examines various artifacts of File History including registry, configuration files and event logs. The study also discusses an important aspect of File History i.e. caching feature in detail – understand how does it store information and why it could be critical in any examination. Finally, the paper addresses several questions that might be raised in any investigation, for example, current state of service, external media or network storage used to save backup files, time when did the service last run, time limit (if any) for the backup files, retention policy etc.