martes, 3 de noviembre de 2015

Windows 8 Touch Keyboard Forensics

Microsoft released Windows 8 in 2012. With this new version, Microsoft made a fundamental shift in Windows 8 as compare to older versions of Windows. It does not only target netbooks, laptops and traditional computers, instead they decided to use the same technology in Windows 8 tablets. This is why Windows 8 operating system is far more touch screen oriented for use on tablets as well as traditional PCs.
According to Microsoft, In Windows 8, a Windows pointer device refers to devices that support the pen, or touch, functionality. In the context of a Windows Pointer Device, a pen is a single contact point active stylus input, also known as tablet-pen that supports hovering. Touch functionality refers to a single finger contact point or two or more concurrent finger contacts.’ Windows pointer devices use HID (Human Interface Device) protocol to communicate with Windows operating system. Below snapshot shows the interface of the touch keyboard.
Image1-UI
Fig 1-1

Why Touch Keyboard Forensics?

Number of touch screen devices is increasing exponentially. According to a report from DisplayBank, shipments of touch screen equipped notebooks increased by 51.8% in Q1 2013 to 4.57 million units. Looking at the trend, it is quite obvious to expect more touch screen enabled laptops, PCs, and tablets in forensic labs for examination. Though the basic file structure remains same in Windows 8 as compare to its predecessors, but the huge difference in user interface and addition of new features and metro apps have introduced greater use of touch technology in the form of virtual keyboard and other touch enabled apps. Touch keyboard allows users to enter data on handwriting touch panel. This data is stored in ISF format containing details of user’s input, number of strokes etc. To understand it better, we can create an analogy between ISF file and a piece of paper note found while conducting a search for evidence. This might add another piece to the puzzle in investigation or turn out to be an important clue for handwriting analyst team. Thus, touch analysis deserves consideration in the field of forensics.

ISFViewer

In Windows, the InkStore folder, located at C:\Users\(username)\AppData\Local\Microsoft\InputPersonalization, contains ISF Files. ISF stands for Input Serialized Format. It is a Microsoft standard format to store written ink information. This format is specially used to store data entered using stylus in devices like mobile phones, tablet PCs, touch screen laptops, personal digital assistants.
According to Wikipedia “An ink object is simply a sequence of strokes, where each stroke is a sequence of points, and the points are X, and Y coordinates. Many of the new mobile devices can also provide information such as pressure, and angle. In addition can be used to store custom information along with the ink data.
ISFViewer is written in C# and available at https://github.com/cybercuffs/ISFViewer. It takes a single ISF file or a folder with multiple ISF files as two different input options and converts them into GIF image format. The .gif file can later be viewed with Windows Photo Viewer or any other image viewer.
Img3-ISFViewer
Fig 1-2
Following screenshot depicts the output of the ISFViewer

Image4-Converted

Fig 1-3

Registry Artifacts

One can use the MS device manager in order to disable/enable the touch screen functionality. Fig 1-4 shows the device manager view of Windows 8 and 8.1. Note that in Windows 8, Microsoft labels all the devices as HID – Compliant Device that makes it a hit and try effort to turn the touch screen on/off. On the other hand Windows 8.1, adds the device name like ‘touch screen’ in front of HID – compliant device.
Image5-DM
Fig 1-4
Now look at the Fig 1-5 to see how the  two registry entries IsTabletPC and DeviceKind is changed.
Image6-Registry
Fig 1-5

References



Fuente: http://articles.forensicfocus.com/2015/09/04/windows-8-touch-forensics/

No hay comentarios:

Publicar un comentario