Difference between pages "Tools:Memory Imaging" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (x86 Hardware)
 
(Introduced in Windows Vista)
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
{{Expand}}
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctly.  That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same.  Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation.  [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
  
== Memory Imaging Techniques ==
+
There are 2 main branches of Windows:
 +
* the DOS-branch: i.e. Windows 95, 98, ME
 +
* the NT-branch: i.e. Windows NT 4, XP, Vista
  
; Crash Dumps
+
== Features ==
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
; LiveKd Dumps
+
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
; Hibernation Files
+
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
; Firewire
+
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
: The [http://goldfish.ae Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
+
; Virtual Machine Imaging
+
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
+
  
== Memory Imaging Tools ==
+
=== Introduced in Windows NT ===  
===x86 Hardware===
+
* [[NTFS]]
  
; [http://www.windowsscope.com WindowsSCOPE] CaptureGUARD PCIe card (commercial) - desktops, servers
+
=== Introduced in Windows 2000 ===
: Publicly available, supports all Windows OS; windd and other formats.
+
: CaptureGUARD Gateway performs DRAM acquisition even on locked computers
+
: Inquire at http://www.windowsscope.com.
+
  
; [http://www.windowsscope.com WindowsSCOPE] CaptureGUARD ExpressCard (commercial) - laptop applications
+
=== Introduced in Windows XP ===
: Publicly available, supports all Windows OS; windd and other formats.
+
* [[Prefetch]]
: CaptureGUARD Gateway performs DRAM acquisition even on locked computers
+
* System Restore (Restore Points); also present in Windows ME
: Inquire at http://www.windowsscope.com.
+
  
; Tribble PCI Card (research project)
+
==== SP2 ====
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
* Windows Firewall
  
; CoPilot by Komoku
+
=== Introduced in Windows 2003 (Server) ===
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
* Volume Shadow Copies
  
; Forensic RAM Extraction Device (FRED) by BBN
+
=== Introduced in Windows Vista ===
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
* [[BitLocker Disk Encryption | BitLocker]]
 +
* [[Windows Desktop Search | Search]] integrated in operating system
 +
* [[ReadyBoost]]
 +
* [[SuperFetch]]
 +
* [[NTFS|Transactional NTFS (TxF)]]
 +
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 +
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
  
===[[Windows]] Software===
+
=== Introduced in Windows 2008 (Server) ===  
There are many Windows memory acquisition tools. Most of them will not work on Windows Vista or 7, as user programs have been denied access to the ''\Device\Physicalmemory'' object starting in Windows 2003 Service Pack 1 and Windows Vista. Modern tools acquire physical memory by first installing a device driver, so administrative privileges are needed.
+
  
We have edited this list so that it only includes current tools:
+
=== Introduced in Windows 7 ===
 +
* [[BitLocker Disk Encryption | BitLocker To Go]]
 +
* [[Jump Lists]]
 +
* [[Sticky Notes]]
  
; WindowsSCOPE Pro and Ultimate, available at  http://www.windowsscope.com
+
=== Introduced in Windows 8 ===
: Can capture, analyze, graph in depth physical and virtual memory codes and structures
+
* [[Windows Shadow Volumes | File History]]
: Proprietary and standard formats (windd), snapshot repository, snapshot comparison
+
* [[Windows Storage Spaces | Storage Spaces]]
: All Windows OSs (Xp, Vista, 7), 32 and 64 bit supported
+
* [[Resilient File System (ReFS)]]; server edition will likely be available in Windows Server 2012
: Phantom Probe USB based fetch
+
: CaptureGUARD PCIe card and ExpressCard for hardware-assisted DRAM acquisition
+
: CaptureGUARD Gateway for hardware-assisted DRAM acquisition of locked computers
+
: launched in 2011
+
  
; WindowsSCOPE Live
+
== Forensics ==
: available at http://www.windowsscope.com and Android market
+
: allows live memory analysis of Windows computers from Android phones and tablets
+
: launched in 2011
+
  
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
=== Partition layout ===
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
Default partition layout, first partition starts:
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
* at sector 63 in Windows 2000, XP, 2003
 +
* at sector 2048 in Windows Vista, 2008, 7
  
; [[Mdd]] (Memory DD) ([[ManTech]])
+
=== Filesystems ===
: http://sourceforge.net/projects/mdd
+
* [[FAT]], [[FAT|exFAT]]
 +
* [[NTFS]]
 +
* [[Resilient File System (ReFS) | ReFS]]
  
; MANDIANT Memoryze
+
=== Recycle Bin ===
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
: http://www.mandiant.com/software/memoryze.htm
+
  
; [[Kntdd]]
+
==== RECYCLER ====
: http://www.gmgsystemsinc.com/knttools/
+
Used by Windows 2000, XP.
 +
Uses INFO2 file.
  
;[[Moonsols]]: [[DumpIt]]
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
: This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
+
: The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
+
: Perfect to deploy the executable on USB keys, for quick incident responses needs.
+
: http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7
+
  
;[[HBGary]]: Fastdump and Fastdump Pro
+
==== $RECYCLE.BIN ====
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.  
+
Used by Windows Vista.
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
Uses $I and $R files.
:-32 bit and 64 bit architectures
+
:-Acquisitions of greater than 4GB
+
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
:-Process probing which allows for a more complete memory image of a process of interest.
+
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
+
  
;[[FTK Imager]]: FTK Imager
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
:http://accessdata.com/support/adownloads#FTKImager
+
:FTK Imager can acquire live memory and paging file on 32bit and 64bit systems.
+
  
===Linux===
+
=== Registry ===
;[[/dev/mem]]
+
: On older Linux systems, the program [[dd]] can be used to read the contents of [[physical memory]] from the device file <tt>/dev/mem</tt>. On recent Linux systems, however, /dev/mem provides access only to a restricted range of addresses, rather than the full physical memory of a system.  On other systems it may not be available at all. Throughout the 2.6 series of the Linux kernel, the trend was to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
+
;[[/dev/crash]]
+
:On Red Hat systems (and those running related distros such as Fedora or CentOS), the crash driver can be loaded to create pseudo-device /dev/crash for raw physical memory access (via command "modprobe crash"). This module can also be compiled for other Linux distributions with minor effort (see, for example, http://gleeda.blogspot.com/2009/08/devcrash-driver.html). When the crash driver is modified, compiled, and loaded on other systems, the resulting memory access device is not safe to image in its entirety. Care must be taken to avoid addresses that are not RAM-backed. On Linux, /proc/iomem exposes the correct address ranges to image, marked with "System RAM".
+
;[http://secondlookforensics.com Second Look: Linux Memory Forensics]
+
: This commercial memory forensics product ships with a modified version of the crash driver and a script for safely dumping memory using the original or modified driver on any given Linux system.
+
;[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem]
+
: fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
+
;[http://code.google.com/p/lime-forensics/ LiME]
+
: Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports dumping memory either to the file system of the device or over the network.
+
  
===Mac OS X===
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
;[http://cci.ucd.ie/goldfish Goldfish]
+
:Goldfish is a [[Mac OS X]] live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a [[Firewire]] connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact [http://cci.ucd.ie/goldfish cci.ucd.ie/goldfish] for download information.
+
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/mac-memory-reader Mac Memory Reader]
+
:Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM.  Results are stored in a Mach-O binary file.  Mac Memory Reader is available free of charge.  It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.7 and requires a PowerPC G4 or newer, or any Intel processor.
+
  
===Virtual===
+
=== Thumbs.db Files ===
; Qemu
+
: Qemu allows you to dump the memory of a running image using pmemsave.
+
: e.g. pmemsave 0 0x20000000 /tmp/dumpfile
+
; Xen
+
: Xen allows you to live dump the memory of a guest domain using the dump-core command.
+
: You can list the available machines to find the host machine you care about using xm list and see the configuration.
+
: Dumping is a matter of sudo xm dump-core -L /tmp/dump-core-6 6
+
  
==See Also==
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
* [[Windows Memory Analysis]]
+
 
* [[Linux Memory Analysis]]
+
See also: [[Vista thumbcache]].
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
+
 
* http://www.storm.net.nz/projects/16
+
=== Browser Cache ===
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
+
 
 +
=== Browser History ===
 +
 
 +
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
 +
 
 +
=== Search ===
 +
See [[Windows Desktop Search]]
 +
 
 +
=== Setup log files (setupapi.log) ===
 +
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
 +
 
 +
=== Sleep/Hibernation ===
 +
 
 +
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
 +
 
 +
=== Users ===
 +
Windows stores a users Security identifiers (SIDs) under the following registry key:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
 +
</pre>
 +
 
 +
The %SID%\ProfileImagePath value should also contain the username.
 +
 
 +
=== Windows Error Reporting (WER) ===
 +
 
 +
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
 +
<pre>
 +
C:\ProgramData\Microsoft\Windows\WER\
 +
</pre>
 +
 
 +
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
 +
<pre>
 +
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
 +
</pre>
 +
 
 +
Corresponding registry key:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
 +
</pre>
 +
 
 +
== Advanced Format (4KB Sector) Hard Drives ==
 +
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
 +
 
 +
== %SystemRoot% ==
 +
The actual value of %SystemRoot% is store in the following registry value:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 +
Value: SystemRoot
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[Windows Event Log (EVT)]]
 +
* [[Windows XML Event Log (EVTX)]]
  
 
== External Links ==
 
== External Links ==
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
 
  
[[Category:Tools]]
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
 +
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
 +
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
 +
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
 +
 
 +
=== Under the hood ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
 +
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
 +
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
 +
 
 +
=== MSI ===
 +
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
 +
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
 +
 
 +
=== Side-by-side (WinSxS) ===
 +
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
 +
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
 +
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
 +
 
 +
=== Application Compatibility Database ===
 +
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 +
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 +
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 +
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 +
 
 +
=== System Restore (Restore Points) ===
 +
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
 +
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
 +
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
 +
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
 +
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
 +
 
 +
=== Tracking removable media ===
 +
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
 +
 
 +
=== Crash dumps ===
 +
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 +
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
 +
 
 +
=== ReadyBoost ===
 +
* [http://en.wikipedia.org/wiki/ReadyBoost Wikipedia: ReadyBoost]
 +
* [http://windowsir.blogspot.ch/2013/04/plugin-emdmgmt.html Plugin: EMDMgmt], by [[Harlan Carvey]], April 05, 2013
 +
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-65-understanding-artifacts.html Understanding the artifacts EMDMgmt], by [[David Cowen]], August 27, 2013
 +
 
 +
=== SuperFetch ===
 +
* [http://en.wikipedia.org/wiki/Windows_Vista_I/O_technologies#SuperFetch Wikipedia: Windows Vista I/O technologies - SuperFetch]
 +
 
 +
=== Windows Firewall ===
 +
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
 +
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
 +
 
 +
=== Windows 32-bit on Windows 64-bit (WoW64) ===
 +
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
 +
 
 +
=== Windows XP ===
 +
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
 +
 
 +
=== Windows 8 ===
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
 
 +
[[Category:Operating systems]]

Revision as of 00:39, 3 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows 2003 (Server)

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows 2008 (Server)

Introduced in Windows 7

Introduced in Windows 8

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

RECYCLER

Used by Windows 2000, XP. Uses INFO2 file.

See: [2]

$RECYCLE.BIN

Used by Windows Vista. Uses $I and $R files.

See: [3]

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup log files (setupapi.log)

Windows Vista introduced several setup log files [4].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Under the hood

MSI

Side-by-side (WinSxS)

Application Compatibility Database

System Restore (Restore Points)

Tracking removable media

Crash dumps

ReadyBoost

SuperFetch

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP

Windows 8