Difference between pages "Windows" and "Internet Explorer"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Application Experience and Compatibility)
 
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
Microsoft Internet Explorer (MSIE) is the default [[Web Browser]] included with [[Microsoft Windows]].
  
There are 2 main branches of Windows:
+
== MSIE 4 to 9 ==
* the DOS-branch: i.e. Windows 95, 98, ME
+
MSIE 4 to 9 uses the [[Internet Explorer History File Format]] (or MSIE 4-9 Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
== MSIE 10 ==
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
 
+
=== Introduced in Windows NT ===
+
* [[NTFS]]
+
 
+
=== Introduced in Windows 2000 ===
+
 
+
=== Introduced in Windows XP ===
+
* [[Prefetch]]
+
* System Restore (Restore Points); also present in Windows ME
+
 
+
==== SP2 ====
+
* Windows Firewall
+
 
+
=== Introduced in Windows Server 2003 ===
+
* Volume Shadow Copies
+
 
+
=== Introduced in [[Windows Vista]] ===
+
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
 
+
=== Introduced in Windows Server 2008 ===
+
 
+
=== Introduced in [[Windows 7]] ===
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
* [[Jump Lists]]
+
* [[Sticky Notes]]
+
 
+
=== Introduced in [[Windows 8]] ===
+
* [[Windows File History | File History]]
+
* [[Windows Storage Spaces | Storage Spaces]]
+
* [[Search Charm History]]
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
+
 
+
=== Introduced in Windows Server 2012 ===
+
* [[Resilient File System (ReFS)]]
+
 
+
== Forensics ==
+
 
+
=== Partition layout ===
+
Default partition layout, first partition starts:
+
* at sector 63 in Windows 2000, XP, 2003
+
* at sector 2048 in Windows Vista, 2008, 7
+
 
+
=== Filesystems ===
+
* [[FAT]], [[FAT|exFAT]]
+
* [[NTFS]]
+
* [[Resilient File System (ReFS) | ReFS]]
+
 
+
=== Recycle Bin ===
+
 
+
==== RECYCLER ====
+
Used by Windows 2000, XP.
+
Uses INFO2 file.
+
 
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
+
 
+
==== $RECYCLE.BIN ====
+
Used by Windows Vista.
+
Uses $I and $R files.
+
 
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
 
+
=== Registry ===
+
 
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
 
+
=== Thumbs.db Files ===
+
 
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
 
+
See also: [[Vista thumbcache]].
+
 
+
=== Browser Cache ===
+
 
+
=== Browser History ===
+
 
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
 
+
=== Search ===
+
See [[Windows Desktop Search]]
+
 
+
=== Setup log files (setupapi.log) ===
+
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
 
+
=== Sleep/Hibernation ===
+
 
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
 
+
=== Users ===
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\
 
</pre>
 
</pre>
  
The %SID%\ProfileImagePath value should also contain the username.
+
The WebCacheV01.dat and WebCacheV24.dat files are in the [[Extensible Storage Engine (ESE) Database File (EDB) format]]
  
=== Windows Error Reporting (WER) ===
+
== Configuration ==
 +
Internet Explorer will apply its setting in the following order, where the lower the order overrides settings in the higer order.
 +
# Settings in Machine policy key
 +
# Settings in User policy key
 +
# Settings in User preference key
 +
# Settings in Machine preference key
  
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
+
Machine policy key
 
<pre>
 
<pre>
C:\ProgramData\Microsoft\Windows\WER\
+
HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
 
</pre>
 
</pre>
  
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
Machine preference key
 
<pre>
 
<pre>
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
HKET_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
 
</pre>
 
</pre>
  
Corresponding registry key:
+
User policy key
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
 
</pre>
 
</pre>
  
== Advanced Format (4KB Sector) Hard Drives ==
+
User preference key
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
 
+
== %SystemRoot% ==
+
The actual value of %SystemRoot% is store in the following registry value:
+
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Value: SystemRoot
+
 
</pre>
 
</pre>
  
== See Also ==
+
=== Security Zones ===
* [[Windows Event Log (EVT)]]
+
0 - My Computer
* [[Windows XML Event Log (EVTX)]]
+
* [[Windows Vista]]
+
* [[Windows 7]]
+
* [[Windows 8]]
+
  
== External Links ==
+
1 - Local Intranet Zone
  
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
2 - Trusted Sites Zone
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html?m=1 Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
+
  
=== Malware/Rootkits ===
+
3 - Internet Zone
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
+
  
=== Program execution ===
+
4 - Restricted Sites Zone
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
+
  
=== Tracking removable media ===
+
5 - Custom
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
+
  
=== Under the hood ===
+
=== WPAD ===
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
<b>TODO add some text</b>
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
  
==== MSI ====
+
== Artifacts ==
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
+
=== Recovery store ===
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
+
<b>TODO add some text</b>
  
==== Side-by-side (WinSxS) ====
+
On Windows Vista and later:
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
<pre>
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
C:\Users\%USER%\AppData\Local\Microsoft\Internet Explorer\Recovery
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
</pre>
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
+
  
==== Application Experience and Compatibility ====
+
=== Typed URLs ===
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
Internet Explorer stores the cached History (or Address box) entries in the following Windows Registry key [http://support.microsoft.com/kb/157729].
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
<pre>
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
</pre>
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
+
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
+
  
==== System Restore (Restore Points) ====
+
== See Also ==
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [[Internet Explorer History File Format|Internet Explorer 4-9 Cache File Format]]
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
  
==== Crash dumps ====
+
== External Links ==
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://kb.digital-detective.co.uk/display/NetAnalysis1/Internet+Explorer+Cache Internet Explorer Cache]
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
+
* [http://support.microsoft.com/kb/182569 Internet Explorer security zones registry entries for advanced users], by [[Microsoft]]
 
+
* [http://technet.microsoft.com/en-us/library/cc302643.aspx Troubleshooting Automatic Detection], by [[Microsoft]]
==== RPC ====
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=11575 Windows Virtual PC VHDs for testing websites with different Internet Explorer versions], by [[Microsoft]]
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
+
* [http://tojoswalls.blogspot.ch/2013/05/java-web-vulnerability-mitigation-on.html Java Web Vulnerability Mitigation on Windows], by Tim Johnson, May 23, 2013
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
+
 
+
==== User Account Control (UAC) ====
+
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
+
 
+
==== Windows Event Logs ====
+
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
+
 
+
==== Windows Scripting Host ====
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
+
 
+
==== USB ====
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
 
+
==== WMI ====
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
+
 
+
==== Windows Error Reporting (WER) ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
+
  
==== Windows Firewall ====
+
=== Recovery store ===
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://www.swiftforensics.com/2011/09/internet-explorer-recoverystore-aka.html Internet Explorer RecoveryStore (aka Travelog) as evidence of Internet Browsing activity], by [[Yogesh Khatri]], September 29, 2011
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
  
==== Windows 32-bit on Windows 64-bit (WoW64) ====
+
=== Typed URLS ===
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
* [http://crucialsecurityblog.harris.com/2011/03/14/typedurls-part-1/ TypedURLs (Part 1)], by Paul Nichols, March 14, 2011
 +
* [http://crucialsecurityblog.harris.com/2011/03/23/typedurls-part-2/ TypedURLs (Part 2)], by Paul Nichols, March 23, 2011
 +
* [http://randomthoughtsofforensics.blogspot.co.uk/2012/07/trouble-with-typedurlstime.html The Trouble with TypedUrlsTime], by Ken Johnson, July 4, 2012
 +
* [http://sketchymoose.blogspot.ch/2014/02/typedurls-registry-key.html TypedURLs Registry Key], Sketchymoose's Blog, February 18, 2014
  
=== Windows XP ===
+
=== Internet Explorer 10 ===
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
* [http://cyberarms.wordpress.com/2012/08/21/windows-8-forensics-internet-cache-history/ Windows 8 Forensics: Internet History Cache], by Ethan Fleisher, August 21, 2012
 +
* [http://hh.diva-portal.org/smash/get/diva2:635743/FULLTEXT02.pdf Forensic Analysis of ESE databases in Internet Explorer 10], by Bonnie Malmström & Philip Teveldal, June 2013
  
[[Category:Operating systems]]
+
[[Category:Applications]]
[[Category:Windows]]
+
[[Category:Web Browsers]]

Revision as of 00:15, 11 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Microsoft Internet Explorer (MSIE) is the default Web Browser included with Microsoft Windows.

MSIE 4 to 9

MSIE 4 to 9 uses the Internet Explorer History File Format (or MSIE 4-9 Cache File format). The Cache Files commonly named index.dat are used to store both cache and historical information.

MSIE 10

C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\

The WebCacheV01.dat and WebCacheV24.dat files are in the Extensible Storage Engine (ESE) Database File (EDB) format

Configuration

Internet Explorer will apply its setting in the following order, where the lower the order overrides settings in the higer order.

  1. Settings in Machine policy key
  2. Settings in User policy key
  3. Settings in User preference key
  4. Settings in Machine preference key

Machine policy key

HKET_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Machine preference key

HKET_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

User policy key

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

User preference key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Security Zones

0 - My Computer

1 - Local Intranet Zone

2 - Trusted Sites Zone

3 - Internet Zone

4 - Restricted Sites Zone

5 - Custom

WPAD

TODO add some text

Artifacts

Recovery store

TODO add some text

On Windows Vista and later:

C:\Users\%USER%\AppData\Local\Microsoft\Internet Explorer\Recovery

Typed URLs

Internet Explorer stores the cached History (or Address box) entries in the following Windows Registry key [1].

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

See Also

External Links

Recovery store

Typed URLS

Internet Explorer 10