Difference between pages "Windows" and "Bibliography"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Windows 32-bit on Windows 64-bit (WoW64))
 
(Evidence Gathering: added Live RAM forensics article)
 
Line 1: Line 1:
{{Expand}}
+
=Disk Disposal and Data Recovery=
 +
* [http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf Why SSD Drives Destroy Court Evidence, and What Can Be Done About It] by Oleg Afonin and Yuri Gubanov, 2012
 +
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
 +
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
 +
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
 +
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
<bibtex>
 +
@Article{garfinkel:remembrance,
 +
  author =      "Simson Garfinkel and Abhi Shelat",
 +
  author_a =      "Simson L. Garfinkel and Abhi Shelat",
 +
  title =        "Remembrance of Data Passed",
 +
  journal =      "{IEEE} Security and Privacy Magazine",
 +
  publisher =    "IEEE",
 +
  year      =        "2002",
 +
  month    = Jan,
 +
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
 +
}
 +
</bibtex>
  
There are 2 main branches of Windows:
+
=Evidence Gathering=
* the DOS-branch: i.e. Windows 95, 98, ME
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, 2013
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
  
=== Introduced in Windows NT ===
+
=Fake Information=
* [[NTFS]]
+
  
=== Introduced in Windows 2000 ===
+
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
  
=== Introduced in Windows XP ===
+
=Feature Extraction and Data Fusion=
* [[Prefetch]]
+
Computer Location Determination Through Geoparsing and Geocoding of
* System Restore (Restore Points); also present in Windows ME
+
Extracted Features
 +
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
 +
<bibtex>
 +
@inproceedings{garfinkel:cda,
 +
  title="Forensic feature extraction and cross-drive analysis",
 +
  author="Simson Garfinkel",
 +
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
 +
  address = "Lafayette, Indiana",
 +
  journal="Digital Investigation",
 +
  year=2006,
 +
  month=Aug,
 +
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
 +
  location="Lafayette, Indiana"
 +
}
 +
</bibtex>
  
==== SP2 ====
+
=Text Mining=
* Windows Firewall
+
  
=== Introduced in Windows 2003 (Server) ===
+
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003 http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
* Volume Shadow Copies
+
  
=== Introduced in Windows Vista ===  
+
=Signed Evidence=
* [[BitLocker Disk Encryption | BitLocker]]
+
<bibtex>
* [[Windows Desktop Search | Search]] integrated in operating system
+
@article{duerr-2004,
* [[SuperFetch]]
+
  title="Information Assurance Applied to Authentication of Digital Evidence",
* [[NTFS|Transactional NTFS (TxF)]]
+
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
  year=2004,
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
  journal="Forensic Science Communications",
* $Recycle.Bin
+
  volume=6,
* [[Windows XML Event Log (EVTX)]]
+
  number=4,
* [[User Account Control (UAC)]]
+
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
 +
}
 +
</bibtex>
  
=== Introduced in Windows 2008 (Server) ===
 
  
=== Introduced in Windows 7 ===
+
<bibtex>
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
@article{OppligerR03,
* [[Jump Lists]]
+
  author    = {Rolf Oppliger and Ruedi Rytz},
* [[Sticky Notes]]
+
  title    = {Digital Evidence: Dream and Reality},
 +
  journal  = {IEEE Security {\&} Privacy},
 +
  volume    = {1},
 +
  number    = {5},
 +
  year      = {2003},
 +
  pages    = {44-48},
 +
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
 +
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
 +
}
 +
</bibtex>
  
=== Introduced in Windows 8 ===
+
=Theory=
* [[Windows Shadow Volumes | File History]]
+
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
* [[Windows Storage Spaces | Storage Spaces]]
+
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
* [[Resilient File System (ReFS)]]; server edition will likely be available in Windows Server 2012
+
  
== Forensics ==
+
=Other Papers=
  
=== Partition layout ===
+
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
Default partition layout, first partition starts:
+
* at sector 63 in Windows 2000, XP, 2003
+
* at sector 2048 in Windows Vista, 2008, 7
+
  
=== Filesystems ===
+
[[Category:Bibliographies]]
* [[FAT]], [[FAT|exFAT]]
+
* [[NTFS]]
+
* [[Resilient File System (ReFS) | ReFS]]
+
 
+
=== Recycle Bin ===
+
 
+
==== RECYCLER ====
+
Used by Windows 2000, XP.
+
Uses INFO2 file.
+
 
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
+
 
+
==== $RECYCLE.BIN ====
+
Used by Windows Vista.
+
Uses $I and $R files.
+
 
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
 
+
=== Registry ===
+
 
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
 
+
=== Thumbs.db Files ===
+
 
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
 
+
See also: [[Vista thumbcache]].
+
 
+
=== Browser Cache ===
+
 
+
=== Browser History ===
+
 
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
 
+
=== Search ===
+
See [[Windows Desktop Search]]
+
 
+
=== Setup log files (setupapi.log) ===
+
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
 
+
=== Sleep/Hibernation ===
+
 
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
 
+
=== Users ===
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
</pre>
+
 
+
The %SID%\ProfileImagePath value should also contain the username.
+
 
+
== Advanced Format (4KB Sector) Hard Drives ==
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
 
+
== %SystemRoot% ==
+
The actual value of %SystemRoot% is store in the following registry value:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
Value: SystemRoot
+
</pre>
+
 
+
== See Also ==
+
* [[Windows Event Log (EVT)]]
+
* [[Windows XML Event Log (EVTX)]]
+
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
 
+
=== Under the hood ===
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
 
+
=== Side-by-side (WinSxS) ===
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
 
+
=== Application Compatibility Database ===
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
 
+
=== System Restore (Restore Points) ===
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
=== Windows Firewall ===
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
 
+
=== Windows 32-bit on Windows 64-bit (WoW64) ===
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
 
+
=== Windows XP ===
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
 
+
=== Windows 8 ===
+
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
+
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
+
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
+
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
+
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
+
 
+
[[Category:Operating systems]]
+

Revision as of 06:28, 26 June 2013

Contents

Disk Disposal and Data Recovery

Simson Garfinkel, Abhi Shelat - Remembrance of Data Passed
{IEEE} Security and Privacy Magazine , January 2002
http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf
Bibtex
Author : Simson Garfinkel, Abhi Shelat
Title : Remembrance of Data Passed
In : {IEEE} Security and Privacy Magazine -
Address :
Date : January 2002

Evidence Gathering

Fake Information

Feature Extraction and Data Fusion

Computer Location Determination Through Geoparsing and Geocoding of Extracted Features http://www2.chadsteel.com:8080/Publications/drive_location2.doc

Simson Garfinkel - Forensic feature extraction and cross-drive analysis
Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) , Lafayette, Indiana, August 2006
http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf
Bibtex
Author : Simson Garfinkel
Title : Forensic feature extraction and cross-drive analysis
In : Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) -
Address : Lafayette, Indiana
Date : August 2006

Text Mining

Computer Forensic Text Analysis with Open Source Software, Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003 http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf

Signed Evidence

Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas - Information Assurance Applied to Authentication of Digital Evidence
Forensic Science Communications 6(4),2004
http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm
Bibtex
Author : Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas
Title : Information Assurance Applied to Authentication of Digital Evidence
In : Forensic Science Communications -
Address :
Date : 2004


Rolf Oppliger, Ruedi Rytz - Digital Evidence: Dream and Reality
IEEE Security {\&} Privacy 1(5):44-48,2003
http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234
Bibtex
Author : Rolf Oppliger, Ruedi Rytz
Title : Digital Evidence: Dream and Reality
In : IEEE Security {\&} Privacy -
Address :
Date : 2003

Theory

A Hypothesis-Based Approach to Digital Forensic Investigations, Brian D. Carrier, Ph.D. Dissertation Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf

Other Papers