Difference between revisions of "Windows 7"

From ForensicsWiki
Jump to: navigation, search
Line 19: Line 19:
 
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
 
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
  
'''Known keys of forensic interest'''
+
==
 +
'''Known keys of forensic interest''' ==
 +
 
 +
'''SAM Registry'''
 +
SAM SAM\\Domains\\Account\\Users
 +
SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
 +
 
 +
'''Security Registry'''
 +
Security Policy\\PolAcDmSPolicy\\PolPrDmS
 +
Security Policy\\PolAdtEv
 +
Security Policy\\Secrets

Revision as of 12:15, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

== Known keys of forensic interest ==

SAM Registry SAM SAM\\Domains\\Account\\Users SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases

Security Registry Security Policy\\PolAcDmSPolicy\\PolPrDmS Security Policy\\PolAdtEv Security Policy\\Secrets