Windows 10 was released on July 29, 2015. It has since become the most installed desktop operating system. More recently, Windows 11 was released to the general public on October 5, 2021, which served as an evolution of Windows 10. At the time of publication, there has not been a peer-reviewed, deep-dive comparison between the well known artifacts in Windows 10 and what changes Windows 11 have brought. Artifacts come and go with each new version of Windows, requiring a comparative analysis between the most recent version, Windows 10, and the next version, Windows 11. Security features also come and go as threat models evolve. This Gold Paper aims to provide an exhaustive look into the difference between Windows 10 and 11 as it relates to common artifacts and security features to provide actionable takeaways for digital forensic and incident response examiners and IT administrators alike.
My Review:
The Windows operating system dominates the global market share, with Windows 10 being the most widely installed version, and Windows 11 accounting for 8.45%. To aid digital forensic examiners in identifying the nuances between the two versions, this paper compares and contrasts the investigative artifacts and security features of Windows 10 and 11.
The experiment was conducted using the following version.
The experiment used VMware Workstation Pro, Kroll Artifact Parser and Extractor, Eric Zimmerman's tools, Beyond Compare, and NirSoft's RegistryChangesView.
Additional information regarding this experiment is available on the following Github repository(https://github.com/AndrewRathbun/SANSGoldPaperResearch_FOR500_Rathbun).
The research discusses previously established forensic artifacts in Windows 10 and their existence in Windows 11. The artifacts analyzed in this section include LNK files/Jump Lists, $Recycle_Bin metadata files, Amcache, Registry hives, Windows Timeline, Prefetch, Event Logs, Shellbags, and Windows Search Index. Independent research conducted for each artifact indicated that there were no forensically significant differences between Windows 10 and 11 in most cases, except for changes observed in the Registry hives and Event Logs. However, more granular research needs to be conducted to determine the significance of these changes. The article also notes the presence of many SQLite databases in both versions and the existence of different files and folders between the two, as observed through a directory listing comparison provided in a GitHub repository.
The paper also describes new security features in Windows 11, such as requiring TPM 2.0 for all new and upgraded devices, passwordless authentication using TPM 2.0, and support for WPA3, WPA Enterprise 192-bit Suite B, and Opportunistic Wireless Encryption (OWE) for Wi-Fi networks. These features aim to improve the security posture of Windows 11 devices and reduce the risk of compromise.
From a DFIR examiner's perspective, Windows 11 has minimal differences compared to previous versions, but new features may lead to potential new artifacts for forensic examination. With yearly updates planned for Windows 11, the DFIR community will need to continually revisit and validate existing artifacts while searching for new ones that may provide reliable evidence of user activity.
No comments:
Post a Comment