Microsoft Windows 8 introduced lightweight sandboxed applications called “apps” that provide a full range of functionality on top of touchenabled displays. Apps offer a wide range of functionality, including media editing, file sharing, Internet surfing, cloud service usage, online social media activities and audio/video streaming for the Windows 8 and 8.1 operating systems. The use of these apps produces much more forensically-relevant information compared with conventional application programs. This chapter describes MetroExtractor, a tool that gathers static and volatile forensic artifacts produced by Windows apps. The volatile artifacts are extracted from the hibernation and swap files available on storage media. MetroExtractor creates a timeline of user activities and the associated data based on the collected artifacts. The tool appears to be the first implementation for extracting forensicallysound static and volatile Windows 8 app artifacts from a system hard disk.