Difference between pages "Windows 7" and "Opera"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 +
{{expand}}
  
 +
== Data directory ==
 +
Opera stores the user data in the following locations:
  
== File Structure ==
+
On Linux:
File systems are covered separately.
+
<pre>
 +
/home/$USER/.opera/
 +
</pre>
  
== SSD ==
+
On MacOS-X
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
<pre>
 +
/Users/$USER/Library/Opera/
 +
</pre>
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
On Windows XP
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Opera\Opera\
 +
</pre>
  
+
On Windows Vista, 7
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Roaming\Opera\Opera\
 +
</pre>
  
 +
=== Global history ===
 +
The file '''global_history.dat''' is a text file.
  
== Jump Lists ==
+
<pre>
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
Welcome to Opera
 +
http://www.opera.com/portal/upgrade/
 +
1319089117
 +
-1
 +
</pre>
  
== Registry ==
+
Where the fields are:
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows 7 operating system.
+
* Title
 +
* URL
 +
* date and time (32-bit POSIX or Unix epoch timestamp)
  
=== Known Registry keys of forensic interest ===
+
=== Search field history ===
 +
The file '''search_field_history.dat''' is an XML file that contains the history of queries typed in the search bar by the user.
  
====SAM Registry====
+
=== Typed history ===
*SAM\SAM\Domains\Account\Users
+
The file '''typed_history.xml''' contains the history of the URLs typed in the address bar by the user.
*SAM\SAM\Domains\Builtin\Aliases
+
  
 +
== Cache ==
 +
On Linux
 +
<pre>
 +
/home/$USER/.opera/cache/
 +
</pre>
  
====Security Registry====
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Caches/Opera/cache/
 +
</pre>
  
*Security\Policy\PolAcDmSPolicy\PolPrDmS
+
On Windows XP
*Security\Policy\PolAdtEv
+
<pre>
*Security\Policy\Secrets
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Opera\Opera\cache\
 +
</pre>
  
====NTUSER Registry====
+
On Windows Vista, 7
*NTUSER\Control Panel\Desktop
+
<pre>
*NTUSER\Control Panel\don\
+
C:\Users\%USERNAME%\AppData\Local\Opera\Opera\cache\
*NTUSER\Environment
+
</pre>
*NTUSER\Network
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
+
*NTUSER\Software\Ahead
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
+
*NTUSER\Software\Ares
+
*NTUSER\Software\bindshell.net\Odysseus
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
+
*NTUSER\Software\Cain\Settings
+
*NTUSER\Software\DECAFme
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
+
*NTUSER\Software\Google\NavClient\1.1\History
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
+
*NTUSER\Software\JavaSoft\Prefs\haven
+
*NTUSER\Software\Microsoft
+
*NTUSER\Software\Microsoft\Command Processor
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
+
*NTUSER\Software\Microsoft\PIMSRV
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\User Location Service\Client
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
+
*NTUSER\Software\Microsoft\Windows Live Mail
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
+
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
+
*NTUSER\Software\Nico Mak Computing\WinZip
+
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
+
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\Piriform\CCleaner
+
*NTUSER\Software\Privoxy
+
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
+
*NTUSER\Software\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
+
*NTUSER\Software\Skype
+
*NTUSER\Software\SmartLine Vision\aports
+
*NTUSER\Software\SysInternals
+
*NTUSER\Software\Sysinternals\RootkitRevealer
+
*NTUSER\Software\VMware
+
*NTUSER\Software\WinRAR\ArcHistory
+
  
== See Also =  
+
== External Links ==
* [[Windows]]
+
  
[[Category:Operating systems]]
+
* [http://www.opera.com/ Official website]
 +
* [http://www.opera.com/docs/operafiles/ Opera: Files used by Opera]
 +
 
 +
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Latest revision as of 04:43, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Data directory

Opera stores the user data in the following locations:

On Linux:

/home/$USER/.opera/

On MacOS-X

/Users/$USER/Library/Opera/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Opera\Opera\

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Roaming\Opera\Opera\

Global history

The file global_history.dat is a text file.

Welcome to Opera
http://www.opera.com/portal/upgrade/
1319089117
-1

Where the fields are:

  • Title
  • URL
  • date and time (32-bit POSIX or Unix epoch timestamp)

Search field history

The file search_field_history.dat is an XML file that contains the history of queries typed in the search bar by the user.

Typed history

The file typed_history.xml contains the history of the URLs typed in the address bar by the user.

Cache

On Linux

/home/$USER/.opera/cache/

On MacOS-X

/Users/$USER/Library/Caches/Opera/cache/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Opera\Opera\cache\

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Local\Opera\Opera\cache\

External Links