Difference between pages "Linux Logical Volume Manager (LVM)" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(NTUSER Registry)
 
Line 1: Line 1:
{{expand}}
 
  
The [[Linux]] Logical Volume Manager, is commonly abbreviated to LVM. Although LVM can used for other [http://en.wikipedia.org/wiki/Logical_Volume_Management Logical Volume Management] variants as well.
 
  
Not all forensic tools have support for Linux Logical Volume Manager (LVM) volumes, but most modern Linux distributions do.
+
== File Structure ==
 +
File systems are covered separately.
  
== Mounting an LVM from an image ==
+
== SSD ==
If you have an image mount the LVM read-only on a loopback device (e.g. /dev/loop1) by:
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
<pre>
+
sudo losetup -r -o $OFFSET /dev/loop1 image.raw
+
</pre>
+
  
Note that the offset is in bytes.
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
  
If you need to write to the image, e.g. for recovery, use [[xmount]] to write the changes to a [[shadow file]] (or cachefile in xmount terminology).
+
<pre>
+
sudo xmount --in dd --cache sda.shadow sda.raw image/
+
</pre>
+
  
You can then safely mount the LVM in read-write mode (just omit the -r in the previous losetup command).
 
  
To remove this mapping afterwards run:
+
== Jump Lists ==
<pre>
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
sudo losetup -d /dev/loop1
+
</pre>
+
  
To scan for new physical volumes:
+
== Registry ==
<pre>
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
lvm pvscan
+
</pre>
+
  
You cannot unmount an active volume group. To detach (or deactivate) the volume group:
+
=== Known Registry keys of forensic interest ===
<pre>
+
vgchange -a n $VOLUMEGROUP
+
</pre>
+
  
Where $VOLUMEGROUP is the corresponding name of the volume group
+
====SAM Registry====
 +
*SAM\SAM\Domains\Account\Users
 +
*SAM\Domains\Builtin\Aliases
  
The individual volume devices are now available in:
 
<pre>
 
/dev/mapper/$VOLUMEGROUP-$VOLUMENAME
 
</pre>
 
  
== Mounting an LVM from a device ==
+
====Security Registry====
  
To list the Volume Groups (VG) run:
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
<pre>
+
*Security\Policy\PolAdtEv
pvs
+
*Security\Policy\Secrets
</pre>
+
  
To list information about a Volume Group (VG) run:
+
====NTUSER Registry====
<pre>
+
*NTUSER\Control Panel\Desktop
lvdisplay $VOLUMEGROUP
+
*NTUSER\Control Panel\don\
</pre>
+
*NTUSER\Environment
 
+
*NTUSER\Network
The field "LV Name" provides the volume name
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
 
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
To make the volume group known to the system
+
*NTUSER\Software\Ahead
<pre>
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
vgexport $VOLUMEGROUP
+
*NTUSER\Software\Ares
</pre>
+
*NTUSER\Software\bindshell.net\Odysseus
 
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
And active the volumes in the volume group
+
*NTUSER\Software\Cain\Settings
<pre>
+
*NTUSER\Software\DECAFme
vgchange -a y $VOLUMEGROUP
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
</pre>
+
*NTUSER\Software\Google\NavClient\1.1\History
 
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
The individual volume devices are now available in:
+
*NTUSER\Software\JavaSoft\Prefs\haven
<pre>
+
*NTUSER\Software\Microsoft
/dev/mapper/$VOLUMEGROUP-$VOLUMENAME
+
*NTUSER\Software\Microsoft\Command Processor
</pre>
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
 
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
These now can be analyzed with e.g. a tool like the [[Sleuthkit]] or loop-back mounted.
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
 
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
To read-only loop-back mount an individual volume:
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
<pre>
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
mount -o ro /dev/mapper/$VOLUMEGROUP-$VOLUMENAME filesystem/
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
</pre>
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
 
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
== Also see ==
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
* [[:Category:File Systems|File Systems]]
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
 
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
== External Links ==
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
* [http://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29 Wikipedia article on Logical Volume Manager]
+
*NTUSER\Software\Microsoft\PIMSRV
* [http://www.datadisk.co.uk/html_docs/redhat/rh_lvm.htm RedHat - LVM cheatsheet]
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
 
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
[[Category:Volume Systems]]
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\User Location Service\Client
 +
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
 +
*NTUSER\Software\Microsoft\Windows Live Mail
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
 +
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
 +
*NTUSER\Software\Nico Mak Computing\WinZip
 +
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
 +
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\Piriform\CCleaner
 +
*NTUSER\Software\Privoxy
 +
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
 +
*NTUSER\Software\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
 +
*NTUSER\Software\Skype
 +
*NTUSER\Software\SmartLine Vision\aports
 +
*NTUSER\Software\SysInternals
 +
*NTUSER\Software\Sysinternals\RootkitRevealer
 +
*NTUSER\Software\VMware
 +
*NTUSER\Software\WinRAR\ArcHistory

Revision as of 14:39, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory