Difference between pages "Windows 7" and "File:Huawei-u8655-front.jpg"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Known keys of forensic interest)
 
 
Line 1: Line 1:
  
 
== File Structure ==
 
File systems are covered separately.
 
 
== SSD ==
 
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
 
 
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
 
 
 
 
 
== Jump Lists ==
 
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
 
 
== Registry ==
 
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
 
 
== Known Registry keys of forensic interest ==
 
 
'''SAM Registry'''
 
 
*SAM\\SAM\\Domains\\Account\\Users
 
*SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
 
 
 
'''Security Registry'''
 
 
*Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
 
*Security\\Policy\\PolAdtEv
 
*Security\\Policy\\Secrets
 
 
'''NTUSER Registry'''
 
*NTUSER\\Control Panel\\Desktop
 
*NTUSER\\Control Panel\\don\
 
*NTUSER\\Environment
 
*NTUSER\\Network
 
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
 
*NTUSER\\Software
 
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
 
*NTUSER\\Software\\Ahead
 
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
 
*NTUSER\\Software\\Ares
 
*NTUSER\\Software\\bindshell.net\\Odysseus
 
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
 
*NTUSER\\Software\\Cain\\Settings
 
*NTUSER\\Software\\DECAFme
 
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
 
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
 
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
 
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
 
*NTUSER\\Software\\Microsoft
 
*NTUSER\\Software\\Microsoft\\Command Processor
 
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
 
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
 
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
 
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
 
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
 
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
 
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
 
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
 
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
 
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
 
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
 
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
 
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
 
*NTUSER\\Software\\Microsoft\\PIMSRV
 
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
 
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
 
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
 
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
 
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
 
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
 
*NTUSER\\Software\\Microsoft\\Windows Live Mail
 
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
 
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
 
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
 
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
 
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
 
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
 
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
 
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
 
*NTUSER\\Software\\Nico Mak Computing\\WinZip
 
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
 
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
 
*NTUSER\\Software\\Piriform\\CCleaner
 
*NTUSER\\Software\\Privoxy
 
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
 
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
 
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
 
*NTUSER\\Software\\Skype
 
*NTUSER\\Software\\SmartLine Vision\\aports
 
*NTUSER\\Software\\SysInternals
 
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
 
*NTUSER\\Software\\VMware
 
*NTUSER\\Software\\WinRAR\\ArcHistory
 

Latest revision as of 20:32, 12 September 2013