Difference between pages "Windows 7" and "Windows 8"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Known keys of forensic interest)
 
(New Features)
 
Line 1: Line 1:
 +
Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.
  
 +
== New Features ==
 +
The following new features were introduced in Windows 8:
 +
* [[Windows Shadow Volumes | File History]]
 +
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
  
== File Structure ==  
+
== File System ==  
File systems are covered separately.
+
The file system used by Windows 8 is primarily [[NTFS]].
 
+
== SSD ==
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
 
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
 
+
+
  
 +
The [[Resilient File System (ReFS)]] was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.
  
 
== Jump Lists ==
 
== Jump Lists ==
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
 
+
== Registry ==
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
 
+
== Known keys of forensic interest ==
+
 
+
'''SAM Registry'''
+
 
+
SAM\\SAM\\Domains\\Account\\Users
+
 
+
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
 
+
  
'''Security Registry'''
+
== Prefetch ==
 +
The prefetch hash function is similar to [[Windows 2008]].
  
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
== Registry ==
 +
The [[Windows_Registry|Windows Registry]] remains a core component of the Windows operating system.
  
Security\\Policy\\PolAdtEv
+
== See Also ==
 +
* [[Windows]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
  
Security\\Policy\\Secrets
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
* [http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html indows 8 and 8.1: Search Charm History], by [[Jason Hale]], September 9, 2013
  
'''NTUSER Registry'''
+
[[Category:Operating systems]]
*NTUSER\\Control Panel\\Desktop
+
*NTUSER\\Control Panel\\don\
+
*NTUSER\\Environment
+
*NTUSER\\Network
+
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
*NTUSER\\Software
+
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
*NTUSER\\Software\\Ahead
+
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
*NTUSER\\Software\\Ares
+
*NTUSER\\Software\\bindshell.net\\Odysseus
+
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
*NTUSER\\Software\\Cain\\Settings
+
*NTUSER\\Software\\DECAFme
+
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
*NTUSER\\Software\\Microsoft
+
*NTUSER\\Software\\Microsoft\\Command Processor
+
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\PIMSRV
+
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
*NTUSER\\Software\\Microsoft\\Windows Live Mail
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
*NTUSER\\Software\\Nico Mak Computing\\WinZip
+
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\Piriform\\CCleaner
+
*NTUSER\\Software\\Privoxy
+
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
*NTUSER\\Software\\Skype
+
*NTUSER\\Software\\SmartLine Vision\\aports
+
*NTUSER\\Software\\SysInternals
+
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
*NTUSER\\Software\\VMware
+
*NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 13:15, 20 October 2013

Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.

New Features

The following new features were introduced in Windows 8:

File System

The file system used by Windows 8 is primarily NTFS.

The Resilient File System (ReFS) was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.

Jump Lists

Jump Lists are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.

Prefetch

The prefetch hash function is similar to Windows 2008.

Registry

The Windows Registry remains a core component of the Windows operating system.

See Also

External Links