Difference between pages "File Carving Bibliography" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
'''In chronological order, oldest to most recent'''
 
===Basic Techniques===
 
  
[http://handle.dtic.mil/100.2/ADA432468 An analysis of disc carving techniques], Mikus, Nicholas A. " Master's Thesis, Naval Postgraduate School. March 2005.
 
  
[http://www.dfrws.org/2005/proceedings/richard_scalpel.pdf Scalpel: A Frugal, High Performance File Carver], Golden G. Richard and Vassil Roussev, DFRWS 2005
+
== File Structure ==
 +
File systems are covered separately.
  
[http://www.dfrws.org/2007/proceedings/p73-marziale.pdf Massive threading: Using GPUs to increase the performance of digital forensics tools], Lodovico Marziale, Golden G. Richard III*, Vassil Roussev, DFRWS 2007.
+
== SSD ==
 +
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
  
===Fragment Recovery Carving===
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
  
<bibtex>
+
@INPROCEEDINGS{Shanmugasundaram02automaticreassembly,
+
    author = {Kulesh Shanmugasundaram},
+
    title = {Automatic Reassembly of Document Fragments via Data Compression},
+
    booktitle = {Presented at the 2nd Digital Forensics Research Workshop},
+
    year = {2002},
+
    pages = {152--159}
+
}
+
</bibtex>
+
  
[http://isis.poly.edu/kulesh/research/pubs/icassp-2003.pdf Automated Reassembly of Fragmented Images], Anandabrata Pal, Kulesh Shanmugasundaram, Nasir Memon, Proceedings of the IEEE International Conference on Acoustics, Speech, and Signal Processing, 2003.
 
  
[http://www.simson.net/clips/academic/2007.DFRWS.pdf "Carving Contiguous and Fragmented Files with Fast Object Validation"], Garfinkel, S.,, Digital Forensics Workshop (DFRWS 2007), Pittsburgh, PA, August 2007.
+
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
  
[http://www.cs.uno.edu/~golden/Stuff/ifip2007-final.pdf In-Place File Carving], Golden G. Richard III, Vassil Roussev, and Lodovico Marziale, IFIP WG 11.9, Advances in Digital Forensics, 2007
+
== Registry ==
 +
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
  
[http://www.dfrws.org/2008/proceedings/p2-pal.pdf Detecting File Fragmentation Point Using Sequential Hypothesis Testing]. Anandabrata Pal, Husrev Sencar, Nasir Memon, DFRWS, 2007. [http://www.dfrws.org/2008/proceedings/p2-pal_pres.pdf [slides]]
+
== Known keys of forensic interest ==
  
===Sector Discrimination===
+
'''SAM Registry'''
  
<bibtex>
+
SAM SAM\\Domains\\Account\\Users
@article{
+
  journal="Journal of Digital Forensic Practice", 
+
  publisher="Taylor & Francis",
+
  author="Yoginder Singh Dandass and Nathan Joseph Necaise and Sherry Reede Thomas",
+
  title="An Empirical Analysis of Disk Sector Hashes for Data Carving",
+
  year=2008,
+
  volume=2,
+
  issue=2,
+
  pages="95--106",
+
  abstract="Discovering known illicit material on digital storage devices is an important component of a digital forensic investigation. Using existing data carving techniques and tools, it is typically difficult to recover remaining fragments of deleted illicit files whose file system metadata and file headers have been overwritten by newer files. In such cases, a sector-based scan can be used to locate those sectors whose content matches those of sectors from known illicit files. However, brute-force sector-by-sector comparison is prohibitive in terms of time required. Techniques that compute and compare hash-based signatures of sectors in order to filter out those sectors that do not produce the same signatures as sectors from known illicit files are required for accelerating the process.
+
  
This article reports the results of a case study in which the hashes for over 528 million sectors extracted from over 433,000 files of different types were analyzed. The hashes were computed using SHA1, MD5, CRC64, and CRC32 algorithms and hash collisions of sectors from JPEG and WAV files to other sectors were recorded. The analysis of the results shows that although MD5 and SHA1 produce no false-positive indications, the occurrence of false positives is relatively low for CRC32 and especially CRC64. Furthermore, the CRC-based algorithms produce considerably smaller hashes than SHA1 and MD5, thereby requiring smaller storage capacities. CRC64 provides a good compromise between number of collisions and storage capacity required for practical implementations of sector-scanning forensic tools.",
+
SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
  url="http://www.informaworld.com/10.1080/15567280802050436"
+
}
+
</bibtex>
+
  
[[Category:Bibliographies]]
+
 
[[Category:Carving]]
+
'''Security Registry'''
==See also==
+
 
[[Carving]]
+
Security Policy\\PolAcDmSPolicy\\PolPrDmS
 +
 
 +
Security Policy\\PolAdtEv
 +
 
 +
Security Policy\\Secrets

Revision as of 13:16, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known keys of forensic interest

SAM Registry

SAM SAM\\Domains\\Account\\Users

SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

Security Policy\\PolAcDmSPolicy\\PolPrDmS

Security Policy\\PolAdtEv

Security Policy\\Secrets