%0 Conference Proceedings
%T A TOOL FOR EXTRACTING STATIC AND VOLATILE FORENSIC ARTIFACTS OF WINDOWS 8.x APPS
%+ Indraprastha Institute of Information Technology [New Delhi] (IIIT-Delhi)
%A Murtuza, Shariq
%A Verma, Robin
%A Govindaraj, Jayaprakash
%A Gupta, Gaurav
%Z Part 6: FORENSIC TOOLS
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 11th IFIP International Conference on Digital Forensics (DF)
%C Orlando, FL, United States
%Y Gilbert Peterson
%Y Sujeet Shenoi
%3 Advances in Digital Forensics XI
%V AICT-462
%P 305-320
%8 2015-01-26
%D 2015
%R 10.1007/978-3-319-24123-4_18
%K Windows forensics
%K Windows Metro apps
%K forensic timelines
%Z Computer Science [cs]Conference papers
%X Microsoft Windows 8 introduced lightweight sandboxed applications called “apps” that provide a full range of functionality on top of touchenabled displays. Apps offer a wide range of functionality, including media editing, file sharing, Internet surfing, cloud service usage, online social media activities and audio/video streaming for the Windows 8 and 8.1 operating systems. The use of these apps produces much more forensically-relevant information compared with conventional application programs. This chapter describes MetroExtractor, a tool that gathers static and volatile forensic artifacts produced by Windows apps. The volatile artifacts are extracted from the hibernation and swap files available on storage media. MetroExtractor creates a timeline of user activities and the associated data based on the collected artifacts. The tool appears to be the first implementation for extracting forensicallysound static and volatile Windows 8 app artifacts from a system hard disk.
%G English
%Z TC 11
%Z WG 11.9
%2 https://inria.hal.science/hal-01449065/document
%2 https://inria.hal.science/hal-01449065/file/978-3-319-24123-4_18_Chapter.pdf
%L hal-01449065
%U https://inria.hal.science/hal-01449065
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-WG
%~ IFIP-TC11
%~ IFIP-DF
%~ IFIP-WG11-9
%~ IFIP-AICT-462