Difference between pages "Windows 7" and "JTAG Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Known keys of forensic interest)
 
(Procedures)
 
Line 1: Line 1:
 +
== Definition ==
 +
=== From Wikipedia ([http://en.wikipedia.org/wiki/Joint_Test_Action_Group http://en.wikipedia.org/wiki/Joint_Test_Action_Group ]): ===
  
 +
Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.
  
== File Structure ==  
+
=== Forensic Application ===
File systems are covered separately.
+
  
== SSD ==
+
JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
== Tools and Equipment ==
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
  
+
* [[JTAG and Chip-Off Tools and Equipment]]
  
 +
== Procedures ==
  
== Jump Lists ==
+
* [[JTAG HTC Wildfire S]]
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
* [[JTAG Huawei TracFone M865C]]
 
+
* [[JTAG Huawei TracFone M866C]]
== Registry ==
+
* [[JTAG Huawei U8655]]
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
* [[JTAG LG P930 (Nitro HD)]]
 
+
* [[JTAG Samsung Galaxy S4 (SGH-I337)]]
== Known Registry keys of forensic interest ==
+
 
+
'''SAM Registry'''
+
 
+
*SAM\\SAM\\Domains\\Account\\Users
+
*SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
 
+
 
+
'''Security Registry'''
+
 
+
*Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
*Security\\Policy\\PolAdtEv
+
*Security\\Policy\\Secrets
+
 
+
'''NTUSER Registry'''
+
*NTUSER\\Control Panel\\Desktop
+
*NTUSER\\Control Panel\\don\
+
*NTUSER\\Environment
+
*NTUSER\\Network
+
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
*NTUSER\\Software
+
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
*NTUSER\\Software\\Ahead
+
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
*NTUSER\\Software\\Ares
+
*NTUSER\\Software\\bindshell.net\\Odysseus
+
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
*NTUSER\\Software\\Cain\\Settings
+
*NTUSER\\Software\\DECAFme
+
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
*NTUSER\\Software\\Microsoft
+
*NTUSER\\Software\\Microsoft\\Command Processor
+
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\PIMSRV
+
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
*NTUSER\\Software\\Microsoft\\Windows Live Mail
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
*NTUSER\\Software\\Nico Mak Computing\\WinZip
+
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\Piriform\\CCleaner
+
*NTUSER\\Software\\Privoxy
+
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
*NTUSER\\Software\\Skype
+
*NTUSER\\Software\\SmartLine Vision\\aports
+
*NTUSER\\Software\\SysInternals
+
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
*NTUSER\\Software\\VMware
+
*NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 20:13, 12 September 2013

Definition

From Wikipedia (http://en.wikipedia.org/wiki/Joint_Test_Action_Group ):

Joint Test Action Group (JTAG) is the common name for what was later standardized as the IEEE 1149.1 Standard Test Access Port and Boundary-Scan Architecture. It was initially devised for testing printed circuit boards using boundary scan and is still widely used for this application. Today JTAG is also widely used for IC debug ports. In the embedded processor market, essentially all modern processors support JTAG when they have enough pins. Embedded systems development relies on debuggers talking to chips with JTAG to perform operations like single stepping and breakpointing. Digital electronics products such as cell phones or a wireless access point generally have no other debug or test interfaces.

Forensic Application

JTAG forensics is an acquisition procedure which involves connecting to the Standard Test Access Port (TAPs) on a device and instructing the processor to transfer the raw data stored on connected memory chips. Jtagging supported phones can be an extremely effective technique to extract a full physical image from devices that cannot be acquired by other means.

Tools and Equipment

Procedures