Difference between pages "Windows 7" and "Bruce Allen"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Known keys of forensic interest)
 
 
Line 1: Line 1:
 +
Bruce Allen is a Research Associate at the [http://www.nps.edu Naval Postgraduate School] in Monterey, California.
  
 
+
Interests include Software architecture, computer languages, parallel computing, parallel processor architectures, and supporting open-source software. Software contributions include development of the [[hashdb]] tool, development of the [[Bulk Extractor Viewer]] User Interface (used to browse Features extracted using the [[Bulk Extractor]] digital media triage tool), some of the Bulk Extractor scanners, the jlibewf and libewfcs readers, and implementations of high speed encryption and hashing algorithms that run on the Cell Broadband Engine processor.
== File Structure ==
+
File systems are covered separately.
+
 
+
== SSD ==
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
 
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
 
+
+
 
+
 
+
== Jump Lists ==
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
 
+
== Registry ==
+
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
 
+
== Known keys of forensic interest ==
+
 
+
'''SAM Registry'''
+
 
+
SAM\\SAM\\Domains\\Account\\Users
+
 
+
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
 
+
 
+
'''Security Registry'''
+
 
+
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
 
+
Security\\Policy\\PolAdtEv
+
 
+
Security\\Policy\\Secrets
+
 
+
'''NTUSER Registry'''
+
*NTUSER\\Control Panel\\Desktop
+
*NTUSER\\Control Panel\\don\
+
*NTUSER\\Environment
+
*NTUSER\\Network
+
*NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
*NTUSER\\Software
+
*NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
*NTUSER\\Software\\Ahead
+
*NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
*NTUSER\\Software\\Ares
+
*NTUSER\\Software\\bindshell.net\\Odysseus
+
*NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
*NTUSER\\Software\\Cain\\Settings
+
*NTUSER\\Software\\DECAFme
+
*NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
*NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
*NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
*NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
*NTUSER\\Software\\Microsoft
+
*NTUSER\\Software\\Microsoft\\Command Processor
+
*NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
*NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
*NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
*NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
*NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
*NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
*NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
*NTUSER\\Software\\Microsoft\\PIMSRV
+
*NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
*NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
*NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
*NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
*NTUSER\\Software\\Microsoft\\Windows Live Mail
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
*NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
*NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
*NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
*NTUSER\\Software\\Nico Mak Computing\\WinZip
+
*NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
*NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\Piriform\\CCleaner
+
*NTUSER\\Software\\Privoxy
+
*NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
*NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
*NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
*NTUSER\\Software\\Skype
+
*NTUSER\\Software\\SmartLine Vision\\aports
+
*NTUSER\\Software\\SysInternals
+
*NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
*NTUSER\\Software\\VMware
+
*NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 15:54, 17 June 2014

Bruce Allen is a Research Associate at the Naval Postgraduate School in Monterey, California.

Interests include Software architecture, computer languages, parallel computing, parallel processor architectures, and supporting open-source software. Software contributions include development of the hashdb tool, development of the Bulk Extractor Viewer User Interface (used to browse Features extracted using the Bulk Extractor digital media triage tool), some of the Bulk Extractor scanners, the jlibewf and libewfcs readers, and implementations of high speed encryption and hashing algorithms that run on the Cell Broadband Engine processor.