Difference between pages "Windows 8" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Known keys of forensic interest)
 
Line 1: Line 1:
 +
 +
 +
== File Structure ==
 +
File systems are covered separately.
 +
 +
== SSD ==
 +
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
 +
 +
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
 +
 +
  
  
 
== Jump Lists ==
 
== Jump Lists ==
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
 +
 
 +
== Registry ==
 +
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
 +
 
 +
== Known keys of forensic interest ==
 +
 
 +
'''SAM Registry'''
 +
 
 +
SAM\\SAM\\Domains\\Account\\Users
 +
 
 +
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
 +
 
 +
 
 +
'''Security Registry'''
 +
 
 +
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
 +
 
 +
Security\\Policy\\PolAdtEv
 +
 
 +
Security\\Policy\\Secrets
  
== Registry ==
+
'''NTUSER Registry'''
The [[Windows_Registry]] remains a core component of the Windows operating system.
+
*NTUSER\\Control Panel\\Desktop
 +
*NTUSER\\Control Panel\\don\
 +
*NTUSER\\Environment
 +
*NTUSER\\Network
 +
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
 +
*NTUSER\\Software
 +
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
 +
*NTUSER\\Software\\Ahead
 +
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
 +
*NTUSER\\Software\\Ares
 +
*NTUSER\\Software\\bindshell.net\\Odysseus
 +
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
 +
*NTUSER\\Software\\Cain\\Settings
 +
*NTUSER\\Software\\DECAFme
 +
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
 +
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
 +
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
 +
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
 +
*NTUSER\\Software\\Microsoft
 +
*NTUSER\\Software\\Microsoft\\Command Processor
 +
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
 +
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
 +
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
 +
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
 +
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
 +
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
 +
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
 +
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
 +
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
 +
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
 +
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
 +
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
 +
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
 +
*NTUSER\\Software\\Microsoft\\PIMSRV
 +
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
 +
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
 +
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
 +
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
 +
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
 +
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
 +
*NTUSER\\Software\\Microsoft\\Windows Live Mail
 +
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
 +
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
 +
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
 +
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
 +
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
 +
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
 +
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
 +
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
 +
*NTUSER\\Software\\Nico Mak Computing\\WinZip
 +
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
 +
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
 +
*NTUSER\\Software\\Piriform\\CCleaner
 +
*NTUSER\\Software\\Privoxy
 +
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
 +
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
 +
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
 +
*NTUSER\\Software\\Skype
 +
*NTUSER\\Software\\SmartLine Vision\\aports
 +
*NTUSER\\Software\\SysInternals
 +
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
 +
*NTUSER\\Software\\VMware
 +
*NTUSER\\Software\\WinRAR\\ArcHistory

Revision as of 14:22, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known keys of forensic interest

SAM Registry

SAM\\SAM\\Domains\\Account\\Users

SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

Security\\Policy\\PolAcDmSPolicy\\PolPrDmS

Security\\Policy\\PolAdtEv

Security\\Policy\\Secrets

NTUSER Registry

  • NTUSER\\Control Panel\\Desktop
  • NTUSER\\Control Panel\\don\
  • NTUSER\\Environment
  • NTUSER\\Network
  • NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
  • NTUSER\\Software
  • NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
  • NTUSER\\Software\\Ahead
  • NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
  • NTUSER\\Software\\Ares
  • NTUSER\\Software\\bindshell.net\\Odysseus
  • NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
  • NTUSER\\Software\\Cain\\Settings
  • NTUSER\\Software\\DECAFme
  • NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
  • NTUSER\\Software\\Google\\NavClient\\1.1\\History
  • NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
  • NTUSER\\Software\\JavaSoft\\Prefs\\haven
  • NTUSER\\Software\\Microsoft
  • NTUSER\\Software\\Microsoft\\Command Processor
  • NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
  • NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
  • NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
  • NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
  • NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
  • NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
  • NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
  • NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
  • NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
  • NTUSER\\Software\\Microsoft\\PIMSRV
  • NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
  • NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
  • NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
  • NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
  • NTUSER\\Software\\Microsoft\\User Location Service\\Client
  • NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
  • NTUSER\\Software\\Microsoft\\Windows Live Mail
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
  • NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
  • NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
  • NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
  • NTUSER\\Software\\Nico Mak Computing\\WinZip
  • NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
  • NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
  • NTUSER\\Software\\Piriform\\CCleaner
  • NTUSER\\Software\\Privoxy
  • NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
  • NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
  • NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
  • NTUSER\\Software\\Skype
  • NTUSER\\Software\\SmartLine Vision\\aports
  • NTUSER\\Software\\SysInternals
  • NTUSER\\Software\\Sysinternals\\RootkitRevealer
  • NTUSER\\Software\\VMware
  • NTUSER\\Software\\WinRAR\\ArcHistory