FORENSIC INSIGHT SEMINAR Windows 8 Forensics dorumugs http://malware.co.kr And yet it does move
개요 1. Windows 8 User Interface 2. Windows 8 Artifacts 3. Windows 8 Registry 4. Windows 8 ETC forensicinsight.org Page 2 / 83
Windows 8 Users Interface forensicinsight.org Page 3 / 83
Windows 8 User Interface 로그인하는방법은 3가지가있다. 일반적인 ID / PW 입력방식 그림을그려서로그인하는방식 PIN 사인을통해로그인하는방식 forensicinsight.org Page 4 / 83
Windows 8 User Interface 잠금페이지 캘린더, 페이스북등알림을보여준다. forensicinsight.org Page 5 / 83
Windows 8 User Interface 시작메뉴 Maps, Internet explorer 10, Weather, People Messaging 등이설치되어있다. 프로그램들은 Windows Store 를통해설치되거나삭제된다. forensicinsight.org Page 6 / 83
Windows 8 User Interface 시작메뉴 Charms Search, Share, Start, Devices, Settings 로바로이동할수있게도와준다. forensicinsight.org Page 7 / 83
Windows 8 User Interface PC Settings Consumer Preview 버전에서는일부설정에만접근할수있다. Refresh your PC without affecting your files 사용자의파일들과개별적으로설정된내역은변경되지않는다 PC의설정은초기설정으로돌아간다. Windows Store로부터설치된 App들은유지된다. Windows Store가아닌다른방법으로설치된내역은삭제된다. 삭제된 App 목록은 Desktop에저장된다. Reset your PC and start over 사용자의파일들과 APP들모두삭제된다. 사용자의 PC는최초의설정으로돌아간다. forensicinsight.org Page 8 / 83
Windows 8 User Interface PC Settings forensicinsight.org Page 9 / 83
Windows 8 User Interface TaskManager forensicinsight.org Page 10 / 83
Windows 8 User Interface Windows Store Windows Store 를통해서애플리케이션을설치또는삭제할수있다. Windows Store 를통하지않아도애플리케이션을설치또는삭제할수있다. forensicinsight.org Page 11 / 83
Windows 8 User Interface Messaging Windows Live 계정을통해서대화를할수있다. Gtalk, Facebook 등을연동하여사용이가능하다. forensicinsight.org Page 12 / 83
Windows 8 User Interface Weather 날씨를알려주는애플리케이션이다. 장소를 GPS 로인식하여동작한다. forensicinsight.org Page 13 / 83
Windows 8 User Interface BSD(Blue Screen of Death) 이모티콘, 어려운용어제거등을사용하여사용자친화적으로변경 forensicinsight.org Page 14 / 83
Windows 8 User Interface Windows Desktop 시작버튼이없다. (Developer Preview 에는시작버튼이존재한다.) 마우스를왼쪽하단으로움직이면, Metro Start 를만날수있다. forensicinsight.org Page 15 / 83
Windows 8 User Interface Windows Desktop Metro Start 에서위쪽으로마우스를이동하며, 현재동작중인 App 을확인할수있다. forensicinsight.org Page 16 / 83
Windows 8 User Interface Windows Explorer Explorer 는요즘 MS 가사용하는 Tab 방식으로변했다. 외형은 MS Office 와유사하다. forensicinsight.org Page 17 / 83
Windows 8 Artifacts - Local Folder - Metro Apps - IE10 Websites Visited - Journal Notes - Desktop Tools - Metro App Web Cache - Metro App Cookie - Cache - Cookies - Microsoft Folder - Digital Certificates - What s New - User s Contacts - App Settings forensicinsight.org Page 18 / 83
Windows 8 Artifacts Local Folder AppData/Local 폴더는시스템이나애플리케이션이사용한다. XP 에서는 "Documents and Settings\%UserName%\Local Settings\Application Data 폴더에서 AppData/Local 기능을수행했다. AppData/Local 폴더는 Temporary Internet Files, Internet History 그리고 Windows 8 이남기는다양한파일들을담고있다. forensicinsight.org Page 19 / 83
Windows 8 Artifacts Local Folder %SystemRoot%\Users\%user%\AppData\Local\ 애플리케이션경로목적 Metro Apps IE 10 Web Visited IE 10 Web Session Microsoft\Windows\Application\Sho rtcuts %SystemRoot%\Users\%User%\App Data\Local\Microsoft\Windows\We bcache\webcachev24.dat Microsoft\InternetExplorer\Recovery \Immersive\Active and Microsoft\InternetExplorer\Recovery \Immersive\LastActive Metro Interface 에서보여지는 App 들을확인 IE 10 을사용하여웹사이트에방문했던내역확인 IE 10 을사용하여웹사이트에방문했던내역및브라우져복구시사용되는경로 Taskbar Apps Microsoft\Windows\Caches Desktop 에고정된 App 들을확인 Journal Notes Microsoft\Journal\Cache\msnb.dat User-Added IE 10 Favorites Microsoft\Windows\RoamingTiles 사용자가생성한 Journal Notes 의 History 와경로저장 사용자가고정시킨웹사이트즐겨찾기내역 forensicinsight.org Page 20 / 83
Windows 8 Artifacts Local Folder 애플리케이션경로목적 Temporary Internet Files Protected Mode Temporary Internet Files Desktop Windows Sidebar Weather App Metro App Web Cache Metro App Cookies Metro App Web History Metro Settings Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 Microsoft\Windows\Temporary Internet Files\Virtualized\%Local Disk%\Users\%user%\Appdata Microsoft\Window\WinX Microsoft\Windows\Windows Sidebar\Cache\168522d5-1082-4df2- b2f6-9185c31f9472 Packages\%MetroAppName%\AC\IN etcache Packages\%MetroAppName%\AC\In etcookies Packages\%MetroAppName%\AC\IN ethistory Packages\%MetroAppName%\AC\L ocalstate 인터넷임지저장파일들을저장 IE 가 Protected Mode 로동작할때, 인터넷임시저장파일들을저장 Device Manager, Command Prompt, Run 과같은링크파일들을저장 XML 파일로위치주소등을저장 Metro App 들이사용하는 Web Cache 를저장 Text 로 Metro App 이사용하는 Cookie 파일들을저장 Metro App 이사용하는 Web History 를저장 Metro App 이사용하는설정들을 Plain Text 로저장 forensicinsight.org Page 21 / 83
Windows 8 Artifacts Local Folder Metro Apps Metro Interface 에서확인할수있는 App 들에대한링크파일들을확인할수있다. forensicinsight.org Page 22 / 83
Windows 8 Artifacts Local Folder IE 10 Websites Visited %SystemRoot%\Users\Kayser\AppData\Local\Microsoft\Windows\WebCache\WebCac hev24.dat forensicinsight.org Page 23 / 83
Windows 8 Artifacts Local Folder IE 10 Web Session Compound DAT 파일을 Unpack 하면 TL(Travel Log) 들을확인가능 forensicinsight.org Page 24 / 83
Windows 8 Artifacts Local Folder Journal Notes DAT 파일이 Journal Notes 의경로를 Plain Text 로저장 forensicinsight.org Page 25 / 83
Windows 8 Artifacts Local Folder Journal Notes forensicinsight.org Page 26 / 83
Windows 8 Artifacts Local Folder IE 10 Pinned Favorites 파일명은 10 개의정수로표현되며, 즐겨찾기내역을 Plain Text 로보여준다. forensicinsight.org Page 27 / 83
Windows 8 Artifacts Local Folder Desktop Tools 과거의 Start Menu의 Accessories and System Tools와비슷하다. Taskbar에서우클릭하여접근가능 3가지그룹으로나뉘며, 그룹으로나뉘어진애플리케이션은각각의링크파일를가진다. 그룹 1 Desktop 그룹 2 Run comand, Search, Windows Explorer, Control Panel, Task Manager 그룹 3 Run as Administrator Command Prompt, Command Prompt, Computer Managemnet, Disk Management, device Manager, System, Event Viewer, Power Options, Nerwork Connections, Programs and Features forensicinsight.org Page 28 / 83
Windows 8 Artifacts Local Folder Desktop Tools forensicinsight.org Page 29 / 83
Windows 8 Artifacts Local Folder Metro App Web Cache App 을통해 Web 으로접근한 Cache 내역을저장 forensicinsight.org Page 30 / 83
Windows 8 Artifacts Local Folder Metro App Cookies App 이사용한 Cookie 들을저장하고있으며, 현재 Cookie 와거의다르지않다. forensicinsight.org Page 31 / 83
Windows 8 Artifacts Communications App 사용자행위와관련하여포렌식적으로유용한정보를제공한다. 시스템에서흔적을제거하였을때, 사용자행위를확인할수있다. Email, Chat, Facebook, 그외소셜사이트정보를저장하고있다. Web Cache Web Cache 에서 Facebook 에서확인한사진들을확인할수있다. 애플리케이션경로목적 Communication App Web Cache Web Cookies %SystemRoot%\Users\%User%\App Data\Local\Packages\Microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\ac\inetcache Facebook 사용자프로파일사진및 Facebook 에서확인한사진확인가능 Cookie 들중일부파일은 Facebook offline 에서전달되지않은메시지등을저장한다. 애플리케이션경로목적 Communication App Cookies %SystemRoot%\Users\%User%\App Data\Local\Packages\Microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\ac\inetcookies Communication App 에서사용한 Cookie 들이저장되어있다. forensicinsight.org Page 32 / 83
Windows 8 Artifacts Communications App Web Cache forensicinsight.org Page 33 / 83
Windows 8 Artifacts Communications App Digital Certificate Digital Certificate은인터넷서핑, Email 등을사용할때, Client와 Server를인증하기위해사용된다. 개인키 (Private Key) / 공개키 (Public Key) 를사용하여 Encrypt / Decrypt 한다. Digital Certificate이저장하고있는정보 소유자의공개키 / 소유자의이름과 / 주소 인증만료날짜 / 인증시리얼넘버 / 인증을발간한조직 인증을발간한조직의디지털시그너처 애플리케이션경로목적 Communication App Digital Certificates %SystemRoot%\Users\%User%\App Data\Local\Packages\Microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\ac\microsoft\cryptneturlcach e\content Communication App 이사용하는인증들을담고있다. forensicinsight.org Page 34 / 83
Windows 8 Artifacts Communications App Digital Certificate forensicinsight.org Page 35 / 83
Windows 8 Artifacts Communications App What s New Email 주소, 물리주소 ( 실제집 ), 핸드폰번호등을담고있다. Facebook, Email, Twitter 등과같은개인정보를담고있는데이터를포함한다. 애플리케이션경로목적 User s What s New Updates %SystemRoot%\Users\%User%\App Data\Local\Packages\Microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\ac\microsoft\internet Explorer\DOMStore\%History- Folder%\microsoft[#].xml Email 주소, 물리주소 ( 실제집 ), 핸드폰번호등개인정보를포함하고있는데이터를포함한다. forensicinsight.org Page 36 / 83
Windows 8 Artifacts Communications App What s New forensicinsight.org Page 37 / 83
Windows 8 Artifacts Communications App What s New forensicinsight.org Page 38 / 83
Windows 8 Artifacts Communications App Email Email 주소, 물리주소 ( 실제집 ), 핸드폰번호등을담고있다. Email 마다 Stream을저장하고있다. Stream을저장하는파일명은아래와같다. 12000001~9/a-f_##################.eml.OECustomProperty Email 파일명은 12000001~9/a-f_##################.eml 와같다. 예를들어 Email이 1200012f_129755557158031487.eml이면, Stream은 1200012f_129755557158031487.eml.OECustomProperty이다. 애플리케이션경로목적 User s What s New Updates %SystemRoot%\Users\%User%\App Data\Local\Packages\Microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\localstate\indexed\livecomm \dorumugs@live.co.kr\16.2\mail Email 주소, 물리주소 ( 실제집 ), 핸드폰번호등개인정보를포함하고있는데이터를포함한다. forensicinsight.org Page 39 / 83
Windows 8 Artifacts Communications App Email - Stream forensicinsight.org Page 40 / 83
Windows 8 Artifacts Communications App Email forensicinsight.org Page 41 / 83
Windows 8 Artifacts Communications App User s Contact Communication App을사용하여소셜미디어에접근할경우, 사용자및친구들에대한사진을획득할수있다. 애플리케이션경로목적 User s Contacts from Communications App User Tile Associated With Contact %SystemRoot%\Users\%User%\App Data\Local\Packages\Microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\\localstate\livecomm\%user's WindowsLiveEmail Address%\%AppCurretVersion%\DBS tore\logfiles\edb####.log %SystemRoot%\Users\%User%\App Data\Local\Packages\Microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\\localstate\livecomm\%user's WindowsLiveEmail Address%\%AppCurretVersion%\DBS tore\usertiles 사용자및친구들의사진이저장된경로를알려준다. 사용자및친구들의사진이저장되어있다. forensicinsight.org Page 42 / 83
Windows 8 Artifacts Communications App User s Contact forensicinsight.org Page 43 / 83
Windows 8 Artifacts Communications App User s Contact forensicinsight.org Page 44 / 83
Windows 8 Artifacts Communications App App Setting Communications App에대한설정정보를 Compound 파일인 setting.dat에저장하고있다. Setting.dat는 Windows Live 계정, 캘린더, 채팅, Email, People 등의정보를담고있다. 애플리케이션경로목적 Communications App Settings %SystemRoot%\Users\%User%\App Data\Local\Packages\microsoft.wind owscommunicationsapps_8wekyb3d8b bwe\settings\setting.dat Communication App 이설정내용을담고있다. forensicinsight.org Page 45 / 83
Windows 8 Artifacts Communications App App Setting forensicinsight.org Page 46 / 83
Windows 8 Registry - NTUSER.DAT - SAM - SYSTEM - USB STORAGE DEVICES - SOFTWARE forensicinsight.org Page 47 / 83
Windows 8 Registry NTUSER.DAT 특정사용자에대한정보를기록한다. 시스템에여러사용자가존재할경우, NTUSER.DAT도여러개존재하게된다. 사용자가열였던파일, 사용한애플리케이션, 방문했던웹사이트등을기록한다. %SystemRoot%\Users\%User%\NTUSER.DAT 경로에존재 정보 Recent Docs Recently Opened/Saved Files Recently Opened/Saved Folders Last Visited Folder Recently Used Apps (Nun-Metro Apps) 경로 Windows\CurrentVerson\Explorer\Recent Docs Windows\CurrentVerson\Explorer\ComDlg32\OpenSavePidlMRU Windows\CurrentVerson\Explorer\ComDlg32\LastVisitedPidlMRU Windows\CurrentVerson\Explorer\ComDlg32\LastVisitedPidlMRULegacy Windows\CurrentVerson\Explorer\ComDlg32\CIDSizeMRU forensicinsight.org Page 48 / 83
Windows 8 Registry NTUSER.DAT 정보 Recently Used Apps with Saved Files Recently Run Items Computer Name & Volume S/N File Extension Associations Typed URLs Typed URL Time 경로 Windows\CurrentVerson\Explorer\ComDlg32\FirstFolder Windows\CurrentVerson\Explorer\Policies\RunMRU WindowsMedia\WMSDK\General Windows\CurrentVersion\Explorer\FileExts Internet Explorer\TypedURLs Internet Explorer\TypedURLsTime forensicinsight.org Page 49 / 83
Windows 8 Registry NTUSER.DAT Typed URL Time Software\Microsoft\Internet Explorer\TypedURLsTime\ 1601년 1월 1일 GMT 00:00:00 이후의시간을 100나노세컨트드로계산하여바이너리저장 (Windows FILETIME) Software\Microsoft\Internet Explorer\TypedURLs\ URL들을확인할수있으며, 시간정보는 TypedURLsTime에서확인가능 forensicinsight.org Page 50 / 83
Windows 8 Registry NTUSER.DAT Typed URL Time Software\Microsoft\Internet Explorer\TypedURLs\ forensicinsight.org Page 51 / 83
Windows 8 Registry NTUSER.DAT Typed URL Time Software\Microsoft\Internet Explorer\TypedURLsTime\ forensicinsight.org Page 52 / 83
Windows 8 Registry SAM 사용자계정에대한정보를담고있다. ( 어느도메인 / 어떤경로 ) SAM 에저장된사용자이름은로그인할때사용되거나 RID(Rdlative Identifier) 로사용된다. %SystemRoot%\Windows\System32\Config\SAM 경로에존재한다. 정보 Last Logon Last Password Change Account Expireation Last Failed Logon User s RID Internet User Name User s First Name User s Last Name User s Tile 경로 Domains\Account\Users\%UserNumber%\F Domains\Account\Users\%UserNumber%\F Domains\Account\Users\%UserNumber%\F Domains\Account\Users\%UserNumber%\F Domains\Account\Users\%UserNumber%\F Domains\Account\Users\%UserNumber%\InternetUserName Domains\Account\Users\%UserNumber%\GivenName Domains\Account\Users\%UserNumber%\Surname Domains\Account\Users\%UserNumber%\UserTile forensicinsight.org Page 53 / 83
Windows 8 Registry SAM User name Last Name : Domains\Account\Users\%UserNumber%\GivenName First Name : Domains\Account\Users\%UserNumber%\Surname forensicinsight.org Page 54 / 83
Windows 8 Registry SAM F Last Logon 0x8-15의 8byte값 / SAM\Domains\Account\Users\%UserNumber%\F Last Password Change 0x24-31의 8byte값 / SAM\Domains\Account\Users\%UserNumber%\F Account Expiration 0x32-39의 8byte값 / SAM\Domains\Account\Users\%UserNumber%\F 설정이되어있지않으면, 시간정보가확인이안되며, FF FF FF FF 로표현된다. Last Failed Logon 0x40-47의 8byte값 / SAM\Domains\Account\Users\%UserNumber%\F User's RID(Relative Identifier) 0x48-49의 2byte값 / SAM\Domains\Account\Users\%UserNumber%\F forensicinsight.org Page 55 / 83
Windows 8 Registry SAM F forensicinsight.org Page 56 / 83
Windows 8 Registry SAM Uesr s Tile forensicinsight.org Page 57 / 83
Windows 8 Registry SYSTEM Device 에할당된 Drive Letter, 컴퓨터이름, 타임존, 시스템에서사용한 USB 등과같은정보를담고있으며, Control Set 은시스템부팅과관련된설정을담고있다. %SystemRoot%\Windows\System32\config\System 정보 경로 Current Control Set Last Known Good Control set Mounted Devices Files Excluded from Restore Computer name TimeZone Last Graceful Shutdown time Printers Sensors & Location Devices USB Storage Devices Select\Current Select\LastKnownGood MountedDevices %CurrentControlSet%\Control\BackupRestore %CurrentControlSet%\Control\ComputerName %CurrentControlSet%\Control\TimeZoneInformation\Ti mezonekeyname %CurrentControlSet%Control\Windows\ShutdownTime %CurrentControlSet%\Enum\SWM\PRINTENUM %CurrentControlSet%\Enum\SWM\SensorsAndLocation Enum\HardWareID %CurrentControlSet%\Enum\USBSTOR forensicinsight.org Page 58 / 83
Windows 8 Registry SYSTEM Current Control Set / Current : 01 은현재 ControlSet001 이라고는것을알려준다. forensicinsight.org Page 59 / 83
Windows 8 Registry SYSTEM LastKnownGood : 마지막에성공적으로부팅한 Control Set 번호 forensicinsight.org Page 60 / 83
Windows 8 Registry SYSTEM Mounted Devices : Device Letter 를저장 / Letter 당하나의장비만저장 forensicinsight.org Page 61 / 83
Windows 8 Registry SYSTEM Mounted Devices : Device Letter 를저장 forensicinsight.org Page 62 / 83
Windows 8 Registry SYSTEM Last GraceFul Shudown Time : 마지막정상종료시간 (Windows FILETIME) forensicinsight.org Page 63 / 83
Windows 8 Registry SYSTEM Sensor and Location Devices Windows 7 부터사용, Internet 을통하여받아올수있는기능 ( 예 : GPS) 을사용하게설정 forensicinsight.org Page 64 / 83
Windows 8 Registry USB STORAGE DEVICES USBSTOR 는 USB 의이름, Vendor ID, Product ID, Revision Number, Serial Number 를확인가능 SYSTEM\CurrentControlSet\Enum\USBSTOR FriendlyName 은 USB 이름을확인가능 SYSTEM\%CurrentControlSet%\Enum\USBSTOR\Disk&Ven_General&Prod_USB_Flash_Disk &Rev_1100\%Unique Instance ID%&0\FriendlyName USB 의이름에서 Unique Instance ID 와 Container ID 를확인가능 SYSTEM\CurrentControlSet\Enum\USBSTOR\%USB Name%\%Unique Instance ID%\ContainID forensicinsight.org Page 65 / 83
Windows 8 Registry USB STORAGE DEVICES DeviceContainers에서 Container ID에따른 GUID, VID, PID 확인가능 System\CurrentControlSet\Control\DeviceContainers\%ContainerID%\BaseContainers System\CurrentControlSet\Control\DeviceContainers\%ContainerID%\Properties USB 의 VID 와 PID 를통해, USB 가 Plugin 된시간확인가능 SYSTEM\%CurrentControlSet%\Enum\USB\%VID/PID%\Unique Instance ID%\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\0000 LocationInformation 을통해서 USB Hub 와 Port 를확인가능 SYSTEM\%CurrentControlSet%\Enum\USB\%VID/PID%\Unique Instance ID%\LocationInformation forensicinsight.org Page 66 / 83
Windows 8 Registry USB STORAGE DEVICES USBSTOR forensicinsight.org Page 67 / 83
Windows 8 Registry USB STORAGE DEVICES FriendlyName forensicinsight.org Page 68 / 83
Windows 8 Registry USB STORAGE DEVICES Unique Instance ID / Container ID forensicinsight.org Page 69 / 83
Windows 8 Registry USB STORAGE DEVICES GUID / VID / PID forensicinsight.org Page 70 / 83
Windows 8 Registry USB STORAGE DEVICES USB Plugin Time(Windows FILETIME) forensicinsight.org Page 71 / 83
Windows 8 Registry USB STORAGE DEVICES Hub / Port forensicinsight.org Page 72 / 83
Windows 8 Registry SOFTWARE OS 에대한정보. Version, Installed Time, Registerd Owner, Last User to Logon, Members of a Group 등을기록하고있다. %SystemRoot%\Windows\System32\config\SOFTWARE 정보 Current OS Build Current OS Version OS Edition OS Install Date OS Install Location OS Product Name Register Organization Registered Owner Metro Apps Installed on System 경로 Microsoft\Windows NT\CurrentVersion\CurrentBuild Microsoft\Windows NT\CurrentVersion\CurrentVersion Microsoft\Windows NT\CurrentVersion\EditionID Microsoft\Windows NT\CurrentVersion\InstallDate Microsoft\Windows NT\CurrentVersion\PathName Microsoft\Windows NT\CurrentVersion\ProductName Microsoft\Windows NT\CurrentVersion\Registered Microsoft\Windows NT\CurrentVersion\RegisteredOwner Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Appli cations forensicinsight.org Page 73 / 83
Windows 8 Registry SOFTWARE 정보 User Account Installed Metro Apps 경로 Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\%SID % Last Logged On User Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastL oggedonuser Last Logged SAM USER Last Logged On SID User Group Members File/Folder Sharing (by SID) Applications That Run At Starup Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastL oggedonsamuser Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastL oggedonsiduser Microsoft\Windows\CurrentVersion\HomeGroup\HME Microsoft\Windows\CurrentVersion\HomeGroup\HME\SharingPre ferences\%sid% Microsoft\Windows\CurrentVersion\Run forensicinsight.org Page 74 / 83
Windows 8 ETC - EVENT LOG - Prefetch - $Recycle.Bin forensicinsight.org Page 75 / 83
Windows 8 ETC EVENT LOG Windows 7 / windos 2008 과같은 EVTX 내부구조를사용한다. %SystemRoot%\Windows\System32\winevt\Logs\System.evtx forensicinsight.org Page 76 / 83
Windows 8 ETC EVENT LOG forensicinsight.org Page 77 / 83
Windows 8 ETC Prefetch 기본설정의 Windows 8 은 Prefetch 파일을가지고있지않다. 설정정보 %SystemRoot%\Windows\System32\config\SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher Windows 7과같은경로를가지고있지만, EnablePrefetcher 값은존재하지않는다. EnablePrefetcher값을생성하여, 부팅하여도 Prefetch는생성되지않는다. Prefetch 경로 %SystemRoot%\Windows\Prefetch\ forensicinsight.org Page 78 / 83
Windows 8 ETC Prefetch forensicinsight.org Page 79 / 83
Windows 8 ETC $Recycle.Bin %SystemRoot%\$Recycle.Bin\%USER SID%\ forensicinsight.org Page 80 / 83
결론 Windows 8 은 Windows Live ID 를사용하여접근하는정보가다양하다. Windows Logon, Email, Messagine, ETC Communication App 으로인한, 개인정보보호미약 사용자의시스템이침해당할경우, 사용자의개정정보뿐만아니라 Calendar, Email Address, Email Contents 등에등록되어있는사람들에대한정보도같이유출될수있다. 인터넷히스토리내역을저장하고있는파일이변경되었다. 기존의 Index,dat 가 WebCacheV24.dat 로변경되었다. Prefech 생성 Prefetch 생성파라미터를변경하여도, Prefech 는생성되지않는다. forensicinsight.org Page 81 / 83
참고 다운로드 http://windows.microsoft.com/en-us/windows- 8/download?ocid=W_MSC_W8P_DevCenter_MetroApps_EN-US 참고 http://grandstreamdreams.blogspot.com/2012/04/windows-8-linkage-passage-publicmetro.html http://propellerheadforensics.files.wordpress.com/2012/04/thomson_windows-8-forensicguide.pdf forensicinsight.org Page 82 / 83
질문 & 답변 forensicinsight.org Page 83 / 83