ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Linux Logical Volume Manager (LVM)" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(NTUSER Registry)
 
Line 1: Line 1:
{{expand}}
 
  
The [[Linux]] Logical Volume Manager, is commonly abbreviated to LVM. Although LVM can used for other [http://en.wikipedia.org/wiki/Logical_Volume_Management Logical Volume Management] variants as well.
 
  
Not all forensic tools have support for Linux Logical Volume Manager (LVM) volumes, but most modern Linux distributions do.
+
== File Structure ==
 +
File systems are covered separately.
  
== Mounting an LVM from an image ==
+
== SSD ==
If you have an image mount the LVM read-only on a loopback device (e.g. /dev/loop1) by:
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
<pre>
+
sudo losetup -r -o $OFFSET /dev/loop1 image.raw
+
</pre>
+
  
Note that the offset is in bytes.
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
  
If you need to write to the image, e.g. for recovery, use [[xmount]] to write the changes to a [[shadow file]] (or cachefile in xmount terminology).
+
<pre>
+
sudo xmount --in dd --cache sda.shadow sda.raw image/
+
</pre>
+
  
You can then safely mount the LVM in read-write mode (just omit the -r in the previous losetup command).
 
  
To remove this mapping afterwards run:
+
== Jump Lists ==
<pre>
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
sudo losetup -d /dev/loop1
+
</pre>
+
  
To scan for new physical volumes:
+
== Registry ==
<pre>
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
lvm pvscan
+
</pre>
+
  
You cannot unmount an active volume group. To detach (or deactivate) the volume group:
+
=== Known Registry keys of forensic interest ===
<pre>
+
vgchange -a n $VOLUMEGROUP
+
</pre>
+
  
Where $VOLUMEGROUP is the corresponding name of the volume group
+
====SAM Registry====
 +
*SAM\SAM\Domains\Account\Users
 +
*SAM\Domains\Builtin\Aliases
  
The individual volume devices are now available in:
 
<pre>
 
/dev/mapper/$VOLUMEGROUP-$VOLUMENAME
 
</pre>
 
  
== Mounting an LVM from a device ==
+
====Security Registry====
  
To list the Volume Groups (VG) run:
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
<pre>
+
*Security\Policy\PolAdtEv
pvs
+
*Security\Policy\Secrets
</pre>
+
  
To list information about a Volume Group (VG) run:
+
====NTUSER Registry====
<pre>
+
*NTUSER\Control Panel\Desktop
lvdisplay $VOLUMEGROUP
+
*NTUSER\Control Panel\don\
</pre>
+
*NTUSER\Environment
 
+
*NTUSER\Network
The field "LV Name" provides the volume name
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
 
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
To make the volume group known to the system
+
*NTUSER\Software\Ahead
<pre>
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
vgexport $VOLUMEGROUP
+
*NTUSER\Software\Ares
</pre>
+
*NTUSER\Software\bindshell.net\Odysseus
 
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
And active the volumes in the volume group
+
*NTUSER\Software\Cain\Settings
<pre>
+
*NTUSER\Software\DECAFme
vgchange -a y $VOLUMEGROUP
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
</pre>
+
*NTUSER\Software\Google\NavClient\1.1\History
 
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
The individual volume devices are now available in:
+
*NTUSER\Software\JavaSoft\Prefs\haven
<pre>
+
*NTUSER\Software\Microsoft
/dev/mapper/$VOLUMEGROUP-$VOLUMENAME
+
*NTUSER\Software\Microsoft\Command Processor
</pre>
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
 
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
These now can be analyzed with e.g. a tool like the [[Sleuthkit]] or loop-back mounted.
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
 
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
To read-only loop-back mount an individual volume:
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
<pre>
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
mount -o ro /dev/mapper/$VOLUMEGROUP-$VOLUMENAME filesystem/
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
</pre>
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
 
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
== Also see ==
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
* [[:Category:File Systems|File Systems]]
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
 
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
== External Links ==
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
* [http://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29 Wikipedia article on Logical Volume Manager]
+
*NTUSER\Software\Microsoft\PIMSRV
* [http://www.datadisk.co.uk/html_docs/redhat/rh_lvm.htm RedHat - LVM cheatsheet]
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
 
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
[[Category:Volume Systems]]
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\User Location Service\Client
 +
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
 +
*NTUSER\Software\Microsoft\Windows Live Mail
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
 +
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
 +
*NTUSER\Software\Nico Mak Computing\WinZip
 +
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
 +
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\Piriform\CCleaner
 +
*NTUSER\Software\Privoxy
 +
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
 +
*NTUSER\Software\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
 +
*NTUSER\Software\Skype
 +
*NTUSER\Software\SmartLine Vision\aports
 +
*NTUSER\Software\SysInternals
 +
*NTUSER\Software\Sysinternals\RootkitRevealer
 +
*NTUSER\Software\VMware
 +
*NTUSER\Software\WinRAR\ArcHistory

Revision as of 19:39, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory