ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows" and "Bibliography"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Windows 32-bit on Windows 64-bit (WoW64))
 
(Evidence Gathering: added Live RAM forensics article)
 
Line 1: Line 1:
{{Expand}}
+
=Disk Disposal and Data Recovery=
 +
* [http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf Why SSD Drives Destroy Court Evidence, and What Can Be Done About It] by Oleg Afonin and Yuri Gubanov, 2012
 +
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
 +
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
 +
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
 +
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
<bibtex>
 +
@Article{garfinkel:remembrance,
 +
  author =      "Simson Garfinkel and Abhi Shelat",
 +
  author_a =      "Simson L. Garfinkel and Abhi Shelat",
 +
  title =        "Remembrance of Data Passed",
 +
  journal =      "{IEEE} Security and Privacy Magazine",
 +
  publisher =    "IEEE",
 +
  year      =        "2002",
 +
  month    = Jan,
 +
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
 +
}
 +
</bibtex>
  
There are 2 main branches of Windows:
+
=Evidence Gathering=
* the DOS-branch: i.e. Windows 95, 98, ME
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, 2013
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
  
=== Introduced in Windows NT ===
+
=Fake Information=
* [[NTFS]]
+
  
=== Introduced in Windows 2000 ===
+
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
  
=== Introduced in Windows XP ===
+
=Feature Extraction and Data Fusion=
* [[Prefetch]]
+
Computer Location Determination Through Geoparsing and Geocoding of
* System Restore (Restore Points); also present in Windows ME
+
Extracted Features
 +
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
 +
<bibtex>
 +
@inproceedings{garfinkel:cda,
 +
  title="Forensic feature extraction and cross-drive analysis",
 +
  author="Simson Garfinkel",
 +
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
 +
  address = "Lafayette, Indiana",
 +
  journal="Digital Investigation",
 +
  year=2006,
 +
  month=Aug,
 +
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
 +
  location="Lafayette, Indiana"
 +
}
 +
</bibtex>
  
==== SP2 ====
+
=Text Mining=
* Windows Firewall
+
  
=== Introduced in Windows 2003 (Server) ===
+
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003 http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
* Volume Shadow Copies
+
  
=== Introduced in Windows Vista ===  
+
=Signed Evidence=
* [[BitLocker Disk Encryption | BitLocker]]
+
<bibtex>
* [[Windows Desktop Search | Search]] integrated in operating system
+
@article{duerr-2004,
* [[SuperFetch]]
+
  title="Information Assurance Applied to Authentication of Digital Evidence",
* [[NTFS|Transactional NTFS (TxF)]]
+
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
  year=2004,
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
  journal="Forensic Science Communications",
* $Recycle.Bin
+
  volume=6,
* [[Windows XML Event Log (EVTX)]]
+
  number=4,
* [[User Account Control (UAC)]]
+
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
 +
}
 +
</bibtex>
  
=== Introduced in Windows 2008 (Server) ===
 
  
=== Introduced in Windows 7 ===
+
<bibtex>
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
@article{OppligerR03,
* [[Jump Lists]]
+
  author    = {Rolf Oppliger and Ruedi Rytz},
* [[Sticky Notes]]
+
  title    = {Digital Evidence: Dream and Reality},
 +
  journal  = {IEEE Security {\&} Privacy},
 +
  volume    = {1},
 +
  number    = {5},
 +
  year      = {2003},
 +
  pages    = {44-48},
 +
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
 +
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
 +
}
 +
</bibtex>
  
=== Introduced in Windows 8 ===
+
=Theory=
* [[Windows Shadow Volumes | File History]]
+
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
* [[Windows Storage Spaces | Storage Spaces]]
+
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
* [[Resilient File System (ReFS)]]; server edition will likely be available in Windows Server 2012
+
  
== Forensics ==
+
=Other Papers=
  
=== Partition layout ===
+
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
Default partition layout, first partition starts:
+
* at sector 63 in Windows 2000, XP, 2003
+
* at sector 2048 in Windows Vista, 2008, 7
+
  
=== Filesystems ===
+
[[Category:Bibliographies]]
* [[FAT]], [[FAT|exFAT]]
+
* [[NTFS]]
+
* [[Resilient File System (ReFS) | ReFS]]
+
 
+
=== Recycle Bin ===
+
 
+
==== RECYCLER ====
+
Used by Windows 2000, XP.
+
Uses INFO2 file.
+
 
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
+
 
+
==== $RECYCLE.BIN ====
+
Used by Windows Vista.
+
Uses $I and $R files.
+
 
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
 
+
=== Registry ===
+
 
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
 
+
=== Thumbs.db Files ===
+
 
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
 
+
See also: [[Vista thumbcache]].
+
 
+
=== Browser Cache ===
+
 
+
=== Browser History ===
+
 
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
 
+
=== Search ===
+
See [[Windows Desktop Search]]
+
 
+
=== Setup log files (setupapi.log) ===
+
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
 
+
=== Sleep/Hibernation ===
+
 
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
 
+
=== Users ===
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
</pre>
+
 
+
The %SID%\ProfileImagePath value should also contain the username.
+
 
+
== Advanced Format (4KB Sector) Hard Drives ==
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
 
+
== %SystemRoot% ==
+
The actual value of %SystemRoot% is store in the following registry value:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
Value: SystemRoot
+
</pre>
+
 
+
== See Also ==
+
* [[Windows Event Log (EVT)]]
+
* [[Windows XML Event Log (EVTX)]]
+
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
 
+
=== Under the hood ===
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
 
+
=== Side-by-side (WinSxS) ===
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
 
+
=== Application Compatibility Database ===
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
 
+
=== System Restore (Restore Points) ===
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
=== Windows Firewall ===
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
 
+
=== Windows 32-bit on Windows 64-bit (WoW64) ===
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
 
+
=== Windows XP ===
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
 
+
=== Windows 8 ===
+
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
+
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
+
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
+
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
+
 
+
[[Category:Operating systems]]
+

Revision as of 11:28, 26 June 2013

Disk Disposal and Data Recovery

Simson Garfinkel, Abhi Shelat - Remembrance of Data Passed
{IEEE} Security and Privacy Magazine , January 2002
http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf
Bibtex
Author : Simson Garfinkel, Abhi Shelat
Title : Remembrance of Data Passed
In : {IEEE} Security and Privacy Magazine -
Address :
Date : January 2002

Evidence Gathering

Fake Information

Feature Extraction and Data Fusion

Computer Location Determination Through Geoparsing and Geocoding of Extracted Features http://www2.chadsteel.com:8080/Publications/drive_location2.doc

Simson Garfinkel - Forensic feature extraction and cross-drive analysis
Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) , Lafayette, Indiana, August 2006
http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf
Bibtex
Author : Simson Garfinkel
Title : Forensic feature extraction and cross-drive analysis
In : Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) -
Address : Lafayette, Indiana
Date : August 2006

Text Mining

Computer Forensic Text Analysis with Open Source Software, Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003 http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf

Signed Evidence

Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas - Information Assurance Applied to Authentication of Digital Evidence
Forensic Science Communications 6(4),2004
http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm
Bibtex
Author : Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas
Title : Information Assurance Applied to Authentication of Digital Evidence
In : Forensic Science Communications -
Address :
Date : 2004


Rolf Oppliger, Ruedi Rytz - Digital Evidence: Dream and Reality
IEEE Security {\&} Privacy 1(5):44-48,2003
http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234
Bibtex
Author : Rolf Oppliger, Ruedi Rytz
Title : Digital Evidence: Dream and Reality
In : IEEE Security {\&} Privacy -
Address :
Date : 2003

Theory

A Hypothesis-Based Approach to Digital Forensic Investigations, Brian D. Carrier, Ph.D. Dissertation Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf

Other Papers