Difference between pages "Training Courses and Providers" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Under the hood)
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]].  Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.
+
{{Expand}}
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv. 
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
There are 2 main branches of Windows:
|- style="background:#bfbfbf; font-weight: bold"
+
* the DOS-branch: i.e. Windows 95, 98, ME
! Title
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
! Date/Location
+
 
! Website
+
== Features ==
! Limitation
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
|-
+
 
|Qualified Edge Protection: Firewalls, IPS, Spyware, Trojans and Viruses
+
=== Introduced in Windows NT ===
|May 19-22, Reston, VA
+
* [[NTFS]]
|http://www.securityuniversity.net/classes_QEP.php
+
 
|-
+
=== Introduced in Windows 2000 ===
|Certified Wireless Security Professional
+
 
|May 19-22, San Francisco, CA
+
=== Introduced in Windows XP ===
|http://www.securityuniversity.net/www.classes_wireless_CWSP.php
+
* [[Prefetch]]
|-
+
* System Restore (Restore Points); also present in Windows ME
|Computer Hacking Forensic Investigator/Qualified Forensic Expert
+
 
|May 19-23, San Francisco, CA
+
==== SP2 ====
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
* Windows Firewall
|-
+
 
|Macintosh Forensic Survival Course (MFSC)  
+
=== Introduced in Windows Server 2003 ===
|May 19-23, Grand Rapids, MI
+
* Volume Shadow Copies
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
 
|-
+
=== Introduced in [[Windows Vista]] ===
|Core Skills for the Investigation of Computer Crime
+
* [[BitLocker Disk Encryption | BitLocker]]
|May 19-23, Sacramento, CA
+
* [[Windows Desktop Search | Search]] integrated in operating system
|http://www.search.org/programs/hightech/calendar.asp
+
* [[ReadyBoost]]
|Limited To Law Enforcement
+
* [[SuperFetch]]
|-
+
* [[NTFS|Transactional NTFS (TxF)]]
|MacForensicsLab Examiner Certification Training
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
|May 19-22, Newark, CA
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
|http://www.macforensicslab.com/ProductsAndServices/index.php?main_page=index&cPath=2
+
* $Recycle.Bin
|-
+
* [[Windows XML Event Log (EVTX)]]
|Basic On-Line Technical Skills(BOTS)
+
* [[User Account Control (UAC)]]
|May 19, Lynchburg, VA
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== Introduced in Windows Server 2008 ===
|Limited to Law Enforcement
+
 
|-
+
=== Introduced in [[Windows 7]] ===
|Fundamentals of Computer Forensics Imaging
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
|May 20-23, Falls Church, VA
+
* [[Jump Lists]]
|http://www.mantech.com/msma/isso.asp
+
* [[Sticky Notes]]
|-
+
 
|Boot Camp Certified Wireless Network Admin/Wireless Security Professional
+
=== Introduced in [[Windows 8]] ===
|May 20-29, San Francisco, CA
+
* [[Windows File History | File History]]
|http://www.securityuniversity.net/www.classes_wireless_bootcamp.php
+
* [[Windows Storage Spaces | Storage Spaces]]
|-
+
* [[Search Charm History]]
|EnCase&reg; v6 Computer Forensics II
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
|May 20-23, United Kingdom
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Introduced in Windows Server 2012 ===
|-
+
* [[Resilient File System (ReFS)]]
|EnCase&reg; v6 Computer Forensics I
+
 
|May 20-23, Houston, TX and Washington DC
+
== Forensics ==
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Partition layout ===
|EnCase&reg; v6 Advanced Computer Forensics
+
Default partition layout, first partition starts:
|May 20-23, Chicago, IL
+
* at sector 63 in Windows 2000, XP, 2003
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* at sector 2048 in Windows Vista, 2008, 7
|-
+
 
|AccessData&reg; Windows Forensics
+
=== Filesystems ===
|May 20-22, London, United Kingdom
+
* [[FAT]], [[FAT|exFAT]]
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
* [[NTFS]]
|-
+
* [[Resilient File System (ReFS) | ReFS]]
|Certified Wireless Network Administrator
+
 
|May 26-30, Rome Italy
+
=== Recycle Bin ===
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php 
+
The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.
|-
+
 
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
==== RECYCLER ====
|May 26-30, Reston, VA
+
The Recycler format is used by Windows 2000, XP.
|http://www.securityuniversity.net/classes_CEH_QEH.php
+
 
|-
+
Per user Recycle Bin folder in the form:
|Catching the Hackers Intro to IDS
+
<pre>
|May 27-30, Reston, VA
+
C:\Recycler\%SID%\
|http://www.securityuniversity.net/classes_introIDS.php
+
</pre>
|-
+
 
|Catching the Hackers II: Systems to Monitor Your Network
+
Which contains:
|May 27-30, Reston, VA
+
* INFO2 file; "Recycled" files metadata
|http://www.securityuniversity.net/classes_IDSII.php
+
 
|-
+
==== $RECYCLE.BIN ====
|EnCase&reg; v6 Computer Forensics II
+
The $Recycle.Bin is used as of Windows Vista.
|May 27-30, Toronto, Canada
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Per user Recycle Bin folder in the form:
|-
+
<pre>
|AccessData&reg; BootCamp
+
C:\$Recycle.Bin\%SID%\
|May 27-29, San Jose, CA
+
</pre>
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
Which contains:
|WetStone- Steganography Investigator Training
+
* $I files; "Recycled" file metadata
|May 30-31, 2008 Techno Security
+
* $R files; the original data
|https://www.wetstonetech.com/trainings.html
+
 
|-
+
=== Registry ===
|WetStone- Live Investigator Training
+
 
|May 30-31, 2008 Techno Security
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
|https://www.wetstonetech.com/trainings.html
+
 
|-
+
=== Thumbs.db Files ===
|Computer Network Investigations Training Program (CNITP)
+
 
|Jun 02-13, Glynco, GA
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
 
|Limited to Law Enforcement
+
See also: [[Vista thumbcache]].
|-
+
 
|ILook® Automated Forensic Application(ILook)
+
=== Browser Cache ===
|Jun 02-06, Vassalboro, ME
+
 
|http://www.nw3c.org/ocr/courses_desc.cfm
+
=== Browser History ===
|Limited to Law Enforcement
+
 
|-
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
 
|Jun 02-06, Reston, VA
+
=== Search ===
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
See [[Windows Desktop Search]]
|-
+
 
|Qualified Software Security Expert 5-day Bootcamp
+
=== Setup API Logs ===
|Jun 02-06, Reston, VA
+
Windows Vista introduced several new [[Setup API Logs|Setup API Log files]].
|http://www.securityuniversity.net/classes_SI_SoftwareSecurity_Bootcamp.php
+
 
|-
+
Also see [http://support.microsoft.com/kb/927521].
|Licensed Penetration Tester/Qualified Penetration Tester
+
 
|Jun 02-06, Reston, VA
+
=== Sleep/Hibernation ===
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
 
|-
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
|EnCase® v6 Computer Forensics I
+
 
|Jun 02-06, Pasig City, Phillipines
+
=== Users ===
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
|-
+
<pre>
|Core Skills for the Investigation of Cellular Telephones
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
|Jun 02-05, Sacramento, CA
+
</pre>
|http://www.search.org/programs/hightech/calendar.asp
+
 
|Limited To Law Enforcement
+
The %SID%\ProfileImagePath value should also contain the username.
|-
+
 
|EnCase&reg; v6 Computer Forensics I
+
=== Windows Error Reporting (WER) ===
|Jun 03-06, Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
|-
+
<pre>
|EnCase&reg; v6 NTFS
+
C:\ProgramData\Microsoft\Windows\WER\
|Jun 03-06, Houston, TX
+
</pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
|EnCase&reg; v6 Computer Forensics II
+
<pre>
|Jun 03-06, Chicago, IL and Washington DC
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
</pre>
|-
+
 
|EnCase&reg; v6 Advanced Internet Examinations
+
Corresponding registry key:
|Jun 03-06, United Kingdom
+
<pre>
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
|-
+
</pre>
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
 
|Jun 03-06, Los Angeles, CA
+
== Advanced Format (4KB Sector) Hard Drives ==
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
|-
+
 
|AccessData&reg; BootCamp
+
== %SystemRoot% ==
|Jun 03-05, London, United Kingdom
+
The actual value of %SystemRoot% is store in the following registry value:
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
<pre>
|-
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
|Macintosh Forensic Survival Course (MFSC)  
+
Value: SystemRoot
|Jun 09-13, San Jose, CA
+
</pre>
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
 
|Limited to Law Enforcement
+
== See Also ==
|-
+
* [[Prefetch]]
|Qualified Network Security Policy Admin and Security Oriented Architect
+
* [[Setup API Logs]]
|Jun 09-13, Reston, VA
+
* [[SuperFetch]]
|http://www.securityuniversity.net/classes_architecture.php
+
* [[Windows Application Compatibility]]
|-
+
* [[Windows Desktop Search]]
|Core Skills for the Investigation of Cellular Telephones
+
* [[Windows Event Log (EVT)]]
|Jun 09-12, Sacramento, CA
+
* [[Windows XML Event Log (EVTX)]]
|http://www.search.org/programs/hightech/calendar.asp
+
* [[Windows Vista]]
|Limited To Law Enforcement
+
* [[Windows 7]]
|-
+
* [[Windows 8]]
|X-Ways Forensics
+
 
|Jun 09-11, New York City, NY
+
== External Links ==
|http://www.x-ways.net/training/new_york.html
+
 
|-
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
|Certified Wireless Network Administrator
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
|Jun 10-13, Reston, VA
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
|http://www.securityuniversity.net/classes_CWNA.php
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
|-
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
|Jun 10-19, Reston, VA
+
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-81-part-2.html Search history on windows 8.1 - Part 2], by [[Yogesh Khatri's]], April 21, 2014
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
 
|-
+
=== Recycle Bin ===
|AccessData&reg; BootCamp
+
* [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf Lesson 3 – The Recycle Bin], by Steve Hailey
|Jun 10-12, St Paul, MN
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by Mitchell Machor, January 22, 2008
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
 
|-
+
=== Malware/Rootkits ===
|Neutrino-Mobile Phone Forensics
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
|Jun 10-11, Washington DC
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Program execution ===
|-
+
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
|EnCase&reg; v6 Computer Forensics I
+
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
|Jun 10-13, Los Angeles, CA
+
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
=== Tracking removable media ===
|EnCase&reg; v6 Advanced Computer Forensics
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
|Jun 10-13, United Kingdom
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Under the hood ===
|-
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
|EnCase&reg; v6 FIM/Mobile Use of EE Live Forensics
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
|Jun 10-13, Chicago, IL
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
|-
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
|EnCase&reg; v6 Computer Forensics II
+
* [http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx Load Library Safely], by Swamy Shivaganga Nagaraju, 13 May 2014
|Jun 10-13, Houston, TX
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
==== MSI ====
|-
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
|File Systems Revealed
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
|Jun 12-13, New York City, NY
+
 
|http://www.x-ways.net/training/new_york.html
+
==== Side-by-side (WinSxS) ====
|-
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
|Computer Network Investigations Training Program (CNITP)
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
|Jun 16-27, Glynco, GA
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
|Limited to Law Enforcement
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
|-
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
|Intermediate Data Recovery and Analysis(IDRA)
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
|Jun 16-20, St. Louis, MO
+
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
|http://www.nw3c.org/ocr/courses_desc.cfm
+
 
|Limited to Law Enforcement
+
==== System Restore (Restore Points) ====
|-
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
|Certified Wireless Security Professional
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
|Jun 16-19, Reston, VA
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]], June 16, 2007
|http://www.securityuniversity.net/classes_CWSP.php
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
|-
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
|Certified Ethical Hacker/Qualified Security Hacker Class
+
 
|Jun 16-20, Rome Italy
+
==== Crash dumps ====
|http://www.securityuniversity.net/classes_QSH.php 
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|-
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
|Systems Security Certified Practitioner and Security Plus
+
 
|Jun 16-20, Reston, VA
+
==== RPC ====
|http://www.securityuniversity.net/classes_SSCP_Security+_Bootcamp.php
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
|-
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
|Basic Data Recovery and Acquisition(BDRA)
+
 
|Jun 16-19, Hamilton, NJ
+
==== User Account Control (UAC) ====
|http://www.nw3c.org/ocr/courses_desc.cfm
+
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
|Limited to Law Enforcement
+
 
|-
+
==== Windows Event Logs ====
|EnCase® v6 Computer Forensics II
+
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
|Jun 16-19, Pasig City, Phillipines
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
==== Windows Scripting Host ====
|-
+
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
|Computer Forensics Certification Course (including official X-Ways Training)
+
 
|Jun 16-27, Hong Kong Police College
+
==== USB ====
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|Limited to Law Enforcement
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
|-
+
 
|EnCase&reg; v6 Computer Forensics I
+
==== WMI ====
|Jun 17-20, Houston, TX
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
==== Windows Error Reporting (WER) ====
|EnCase&reg; v6 Advanced Internet Examinations
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
|Jun 17-20, Chicago, IL
+
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
==== Windows Firewall ====
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
|Jun 17-20, United Kingdom
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
 
|-
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
|Neutrino-Mobile Phone Forensics
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
|Jun 17-18, Los Angeles, CA
+
 
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
=== Windows XP ===
|-
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
|EnCase&reg; v6 Computer Forensics II
+
 
|Jun 17-20, Los Angeles, CA and Toronto, Canada
+
[[Category:Operating systems]]
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
[[Category:Windows]]
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 17-20, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Introduction to Automated Forensic Tools(AFT)
+
|Jun 23-27, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Jun 23-27, San Jose, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Jun 23-27, Melbourne, Australia
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|Limited to Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 23-24, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|e-fense - Live Forensics and Incident Response Featuring Helix
+
|Jun 24-26, Jacksonville, FL
+
|https://www.e-fense.com/register.php
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Jun 24-27, Toronto, Canada
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Jun 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Internet Examinations
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; Enterprise v6 - Phase I
+
|Jun 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Jun 24-27, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Jun 24-27, Houston, TX
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jun 24-26, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Advanced Responders - Search and Seizure of SOHO Networks
+
|Jun 24-26, Sacramento, CA
+
|http://www.search.org/programs/hightech/calendar.asp
+
|Limited To Law Enforcement
+
|-
+
|Secure Techniques for Onsite Preview(STOP)
+
|Jun 25-26, Shawano, WI
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Jun 30-Jul 04, Brisbane, Australia
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; Enterprise v6 - Phase II
+
|Jun 30-Jul 03, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Jul 01-03, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Jul 07-11, Los Angeles, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|Limited to Law Enforcement
+
|-
+
|Linux /Unix Security
+
|Jul 07-10, Reston, VA
+
|http://www.securityuniversity.net/classes_linux_sec.php
+
|-
+
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
|Jul 07-10, San Francisco, CA
+
|http://www.securityuniversity.net/classes_QSH.php
+
|-
+
|Mobile Device Investigations Program (MDIP)
+
|Jul 14-18, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Applied Decryption
+
|Jul 15-17, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 15-17, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Jul 16-17, Online Training
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Jul 21-Aug 01, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Internet Investigations Training Program (IITP
+
|Jul 21-25, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Jul 21-25, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
|-
+
|Licensed Penetration Tester/Qualified Penetration Tester
+
|Jul 21-25, San Francisco, CA
+
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
|-
+
|WetStone- Live Investigator Training
+
|Jul 22-23, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; Windows Forensics
+
|Jul 22-24, St Louis, MO
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Computer Hacking Forensic Investigator/Qualified Forensics Expert
+
|July 26-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/classes_CHFI.php
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Jul 28-Aug 01, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Network Administrator
+
|July 28-Aug 01, San Francisco, CA
+
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|July 29-Aug 07, San Francisco, CA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 02-03, 04-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|WetStone- Hacking Investigator BootCamp
+
|Aug 02-05, Black Hat USA
+
|https://www.blackhat.com
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Aug 04-08, Huntington Beach, CA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|Aug 05-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|Certified Wireless Network Administrator
+
|Aug 05-08, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWNA.php
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 05-07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 05-07, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|Certified Wireless Security Professional
+
|Aug 11-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, Santa Clara, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 19-20, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 26-27, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 08-12, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Sep 08-12, Bellingham, WA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Sep 9-12, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|WetStone- Steganography Investigator Training
+
|Sep 10-11, Online
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Sep 16-19, Charleston, SC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Sep 30- Oct 1, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 13-14, The Netherlands ENFSC Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 18-19, Atlantic City, NJ HTCIA Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Macintosh Forensic Survival Course (MFSC)  
+
|Nov 03-07, Bern, Switzerland
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Nov 11-12, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Nov 17-21, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Nov 18-21, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Dec 02-05, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Application Forensics Course
+
|Dec 08-19, Hong Kong Police College
+
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|}
+

Revision as of 15:40, 13 May 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.

RECYCLER

The Recycler format is used by Windows 2000, XP.

Per user Recycle Bin folder in the form:

C:\Recycler\%SID%\

Which contains:

  • INFO2 file; "Recycled" files metadata

$RECYCLE.BIN

The $Recycle.Bin is used as of Windows Vista.

Per user Recycle Bin folder in the form:

C:\$Recycle.Bin\%SID%\

Which contains:

  • $I files; "Recycled" file metadata
  • $R files; the original data

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup API Logs

Windows Vista introduced several new Setup API Log files.

Also see [2].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Recycle Bin

Malware/Rootkits

Program execution

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

System Restore (Restore Points)

Crash dumps

RPC

User Account Control (UAC)

Windows Event Logs

Windows Scripting Host

USB

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP