Windows 8 Touch Keyboard Forensics

Microsoft released Windows 8 in 2012. With this new version, Microsoft made a fundamental shift in Windows 8 as compare to older versions of Windows. It does not only target netbooks, laptops and traditional computers, instead they decided to use the same technology in Windows 8 tablets. This is why Windows 8 operating system is far more touch screen oriented for use on tablets as well as traditional PCs.

According to Microsoft, In Windows 8, a Windows pointer device refers to devices that support the pen, or touch, functionality. In the context of a Windows Pointer Device, a pen is a single contact point active stylus input, also known as tablet-pen that supports hovering. Touch functionality refers to a single finger contact point or two or more concurrent finger contacts.’ Windows pointer devices use HID (Human Interface Device) protocol to communicate with Windows operating system. Below snapshot shows the interface of the touch keyboard.

Image1-UI

Fig 1-1

Why Touch Keyboard Forensics?

Number of touch screen devices is increasing exponentially. According to a report from DisplayBank, shipments of touch screen equipped notebooks increased by 51.8% in Q1 2013 to 4.57 million units. Looking at the trend, it is quite obvious to expect more touch screen enabled laptops, PCs, and tablets in forensic labs for examination. Though the basic file structure remains same in Windows 8 as compare to its predecessors, but the huge difference in user interface and addition of new features and metro apps have introduced greater use of touch technology in the form of virtual keyboard and other touch enabled apps. Touch keyboard allows users to enter data on handwriting touch panel. This data is stored in ISF format containing details of user’s input, number of strokes etc. To understand it better, we can create an analogy between ISF file and a piece of paper note found while conducting a search for evidence. This might add another piece to the puzzle in investigation or turn out to be an important clue for handwriting analyst team. Thus, touch analysis deserves consideration in the field of forensics.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

ISFViewer

In Windows, the InkStore folder, located at C:\Users\(username)\AppData\Local\Microsoft\InputPersonalization, contains ISF Files. ISF stands for Input Serialized Format. It is a Microsoft standard format to store written ink information. This format is specially used to store data entered using stylus in devices like mobile phones, tablet PCs, touch screen laptops, personal digital assistants.

According to Wikipedia “An ink object is simply a sequence of strokes, where each stroke is a sequence of points, and the points are X, and Y coordinates. Many of the new mobile devices can also provide information such as pressure, and angle. In addition can be used to store custom information along with the ink data.

ISFViewer is written in C# and available at https://github.com/cybercuffs/ISFViewer. It takes a single ISF file or a folder with multiple ISF files as two different input options and converts them into GIF image format. The .gif file can later be viewed with Windows Photo Viewer or any other image viewer.

Img3-ISFViewer

Fig 1-2

Following screenshot depicts the output of the ISFViewer

Image4-Converted

Fig 1-3

Registry Artifacts

One can use the MS device manager in order to disable/enable the touch screen functionality. Fig 1-4 shows the device manager view of Windows 8 and 8.1. Note that in Windows 8, Microsoft labels all the devices as HID – Compliant Device that makes it a hit and try effort to turn the touch screen on/off. On the other hand Windows 8.1, adds the device name like ‘touch screen’ in front of HID – compliant device.

Image5-DM

Fig 1-4

Now look at the Fig 1-5 to see how the  two registry entries IsTabletPC and DeviceKind is changed.

Image6-Registry

Fig 1-5

References

  • Microsoft. (n.d.). Handwriting personalization on a Tablet PC. Retrieved October 16, 2013, from http://windows.microsoft.com/en-us/windows-vista/handwriting-personalization-on-a-tablet-pc
  • Microsoft. (n.d.). Ink.Load Method. Retrieved October 14, 2013, from Microsoft Developer Network: http://msdn.microsoft.com/En-us/Library/microsoft.ink.ink.load(v=vs.90).aspx
  • Microsoft. (2013, Oct 17). Input: Ink sample. Retrieved October 22, 2013, from Dev Center – Windows Store apps: http://code.msdn.microsoft.com/windowsapps/Ink-App-sample-61abaec3/sourcecode?fileId=52118&pathId=1927408783
  • Microsoft. (2013, Oct 12). Microsoft Developer Network. Retrieved October 2013, 2013, from Windows Touch Gesture Sample (MTGestures): http://msdn.microsoft.com/en-us/library/dd940544(v=vs.85).aspx
  • Microsoft. (2006, February). Using the Ink Explorer. Retrieved October 29, 2013, from Microsoft Developer Network: http://msdn.microsoft.com/en-us/library/aa480682.aspx
  • Rousset, D. (2013, March 22). noupe. Retrieved October 20, 2013, from IE10 and Beyond: Unifying Touch and Mouse Made Easy with Pointer Events: http://www.noupe.com/webdev/ie10-and-beyond-unifying-touch-and-mouse-made-easy-with-pointer-events-75564.html
  • Wikipedia. (2013, April 4). Ink Serialized Format. Retrieved October 14, 2013, from Wikipedia: http://en.wikipedia.org/wiki/Ink_Serialized_Format

Leave a Comment

Latest Videos

Latest Articles