Difference between pages "Prefetch" and "Windows"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Setup log files (setupapi.log))
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]]. For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
 
  
The Prefetch files are stored in the directory:
+
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
<pre>
+
%SystemRoot%\Prefetch
+
</pre>
+
  
The following files can be found in the Prefetch directory:
+
There are 2 main branches of Windows:
* <tt>*.pf</tt>, which are Prefetch files;
+
* the DOS-branch: i.e. Windows 95, 98, ME
* <tt>Ag*.db</tt> and <tt>Ag*.db.trx</tt>, which are [[SuperFetch]] files;
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
* <tt>Layout.ini</tt>;
+
* <tt>PfPre_*.db</tt>;
+
* <tt>PfSvPerfStats.bin</tt>
+
  
A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. E.g. a filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
+
== Features ==
 +
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
  
== File format ==
+
=== Introduced in Windows NT ===
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
+
* [[NTFS]]
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
+
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
+
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
+
  
For more information about the file format see: [[Windows Prefetch File Format]]
+
=== Introduced in Windows 2000 ===
  
== Metadata ==
+
=== Introduced in Windows XP ===
The Prefetch file contains various metadata.
+
* [[Prefetch]]
* The executable's name, up to 29 characters.
+
* System Restore (Restore Points); also present in Windows ME
* The run count, or number of times the application has been run.
+
* Volume related information, like volume path and volume serial number.
+
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
+
* The files and directories that were used doing the application's start-up.
+
  
=== Timestamps ===
+
==== SP2 ====
The Prefetch file contains 2 types of timestamps
+
* Windows Firewall
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
+
* The volume creation time (part of the volume information) of the volume the Prefetch file was created on.
+
  
The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.
+
=== Introduced in Windows Server 2003 ===
 +
* Volume Shadow Copies
  
== Prefetch hash ==
+
=== Introduced in [[Windows Vista]] ===  
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
+
* [[BitLocker Disk Encryption | BitLocker]]
* SCCA XP hash function; used on Windows XP and Windows 2003
+
* [[Windows Desktop Search | Search]] integrated in operating system
* SCCA Vista hash function; used on Windows Vista
+
* [[ReadyBoost]]
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
+
* [[SuperFetch]]
 +
* [[NTFS|Transactional NTFS (TxF)]]
 +
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 +
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
  
=== SCCA XP hash function ===
+
=== Introduced in Windows Server 2008 ===
A Python implementation of the SCCA XP hash function:
+
  
<pre>
+
=== Introduced in [[Windows 7]] ===
def ssca_xp_hash_function(filename):
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
    hash_value = 0
+
* [[Jump Lists]]
    for character in filename:
+
* [[Sticky Notes]]
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
        hash_value = (hash_value * 314159269) % 0x100000000
+
        if hash_value > 0x80000000:
+
            hash_value = 0x100000000 - hash_value
+
  
    return (abs(hash_value) % 1000000007) % 0x100000000
+
=== Introduced in [[Windows 8]] ===
 +
* [[Windows File History | File History]]
 +
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
 +
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
 +
 
 +
=== Introduced in Windows Server 2012 ===
 +
* [[Resilient File System (ReFS)]]
 +
 
 +
== Forensics ==
 +
 
 +
=== Partition layout ===
 +
Default partition layout, first partition starts:
 +
* at sector 63 in Windows 2000, XP, 2003
 +
* at sector 2048 in Windows Vista, 2008, 7
 +
 
 +
=== Filesystems ===
 +
* [[FAT]], [[FAT|exFAT]]
 +
* [[NTFS]]
 +
* [[Resilient File System (ReFS) | ReFS]]
 +
 
 +
=== Recycle Bin ===
 +
The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.
 +
 
 +
==== RECYCLER ====
 +
The Recycler format is used by Windows 2000, XP.
 +
 
 +
Per user Recycle Bin folder in the form:
 +
<pre>
 +
C:\Recycler\%SID%\
 
</pre>
 
</pre>
  
=== SCCA Vista hash function ===
+
Which contains:
A Python implementation of the SCCA Vista hash function:
+
* INFO2 file; "Recycled" files metadata
  
 +
==== $RECYCLE.BIN ====
 +
The $Recycle.Bin is used as of Windows Vista.
 +
 +
Per user Recycle Bin folder in the form:
 
<pre>
 
<pre>
def ssca_vista_hash_function(filename):
+
C:\$Recycle.Bin\%SID%\
    hash_value = 314159
+
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
    return hash_value
+
 
</pre>
 
</pre>
  
=== SCCA 2008 hash function ===
+
Which contains:
A Python implementation of the SCCA 2008 hash function:
+
* $I files; "Recycled" file metadata
 +
* $R files; the original data
 +
 
 +
=== Registry ===
 +
 
 +
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
 +
 
 +
=== Thumbs.db Files ===
 +
 
 +
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
 +
 
 +
See also: [[Vista thumbcache]].
 +
 
 +
=== Browser Cache ===
 +
 
 +
=== Browser History ===
 +
 
 +
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
 +
 
 +
=== Search ===
 +
See [[Windows Desktop Search]]
 +
 
 +
=== [[Setup API Logs]] ===
 +
Windows Vista introduced several new [[Setup API Log]] files [http://support.microsoft.com/kb/927521].
 +
 
 +
=== Sleep/Hibernation ===
 +
 
 +
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
  
 +
=== Users ===
 +
Windows stores a users Security identifiers (SIDs) under the following registry key:
 
<pre>
 
<pre>
def ssca_2008_hash_function(filename):
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    hash_value = 314159
+
</pre>
    filename_index = 0
+
    filename_length = len(filename)
+
    while filename_index + 8 < filename_length:
+
        character_value = ord(filename[filename_index + 1]) * 37
+
        character_value += ord(filename[filename_index + 2])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 3])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 4])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 5])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 6])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index]) * 442596621
+
        character_value += ord(filename[filename_index + 7])
+
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
+
        filename_index += 8
+
  
    while filename_index < filename_length:
+
The %SID%\ProfileImagePath value should also contain the username.
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
+
      filename_index += 1
+
  
    return hash_value
+
=== Windows Error Reporting (WER) ===
 +
 
 +
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
 +
<pre>
 +
C:\ProgramData\Microsoft\Windows\WER\
 
</pre>
 
</pre>
  
== Registry Keys ==
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
 
</pre>
 
</pre>
  
The EnablePrefetcher Registry value can be used to disable prefetch.
+
Corresponding registry key:
 +
<pre>
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
 +
</pre>
 +
 
 +
== Advanced Format (4KB Sector) Hard Drives ==
 +
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
 +
 
 +
== %SystemRoot% ==
 +
The actual value of %SystemRoot% is store in the following registry value:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 +
Value: SystemRoot
 +
</pre>
  
 
== See Also ==
 
== See Also ==
* [[Prefetch XML]]
+
* [[Windows Event Log (EVT)]]
* [[ReadyBoot]]
+
* [[Windows XML Event Log (EVTX)]]
* [[SuperFetch]]
+
* [[Windows Vista]]
* [[Windows]]
+
* [[Windows 7]]
* [[Windows Prefetch File Format]]
+
* [[Windows 8]]
  
 
== External Links ==
 
== External Links ==
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
 
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
 
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
 
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
 
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
 
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
 
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
 
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
 
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
 
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
 
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
 
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
 
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
 
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
 
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
 
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
 
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
 
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
 
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
 
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
 
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
 
* [http://resources.infosecinstitute.com/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/ Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files], by Ivan Dimov, November 21, 2013
 
* [http://i.imgur.com/riuljsK.jpg Prefetch 101 -  a Windows 8 Prefetch file walkthrough], by Jared Atkinson, 2014
 
  
== Tools ==
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
 +
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
 +
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
 +
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
 +
* [http://www.swiftforensics.com/2014/04/search-history-on-windows-8-and-81.html?m=1 Search history on Windows 8 and 8.1], by [[Yogesh Khatri's]], April 1, 2014
 +
 
 +
=== Recycle Bin ===
 +
* [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf Lesson 3 – The Recycle Bin], by Steve Hailey
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by Mitchell Machor, January 22, 2008
 +
 
 +
=== Malware/Rootkits ===
 +
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
 +
 
 +
=== Program execution ===
 +
* [http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html HowTo: Determine Program Execution], by [[Harlan Carvey]], July 06, 2013
 +
* [http://journeyintoir.blogspot.com/2014/01/it-is-all-about-program-execution.html It Is All About Program Execution], by [[Corey Harrell]], January 14, 2014
 +
* [http://sysforensics.org/2014/01/know-your-windows-processes.html Know your Windows Processes or Die Trying], by [[Patrick Olsen]], January 18, 2014
 +
 
 +
=== Tracking removable media ===
 +
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
 +
 
 +
=== Under the hood ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
 +
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
 +
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
 +
 
 +
==== MSI ====
 +
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
 +
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
 +
 
 +
==== Side-by-side (WinSxS) ====
 +
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
 +
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
 +
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
 +
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
 +
* [http://www.fireeye.com/resources/pdfs/fireeye-dll-sideloading.pdf DLL Side-loading: A Thorn in the Side of the Anti-Virus Industry], by Amanda Stewart, April 2014
 +
 
 +
==== Application Experience and Compatibility ====
 +
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 +
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 +
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 +
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
 +
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
 +
 
 +
==== System Restore (Restore Points) ====
 +
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
 +
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
 +
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
 +
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
 +
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
 +
 
 +
==== Crash dumps ====
 +
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 +
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
 +
 
 +
==== RPC ====
 +
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
 +
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
 +
 
 +
==== User Account Control (UAC) ====
 +
* [http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ User Account Control – What Penetration Testers Should Know], by Raphael Mudge, March 20, 2014
 +
 
 +
==== Windows Event Logs ====
 +
* [http://journeyintoir.blogspot.ch/2014/03/exploring-program-inventory-event-log.html Exploring the Program Inventory Event Log], by [[Corey Harrell]], March 24, 2014
 +
 
 +
==== Windows Scripting Host ====
 +
* [https://www.mandiant.com/blog/ground-windows-scripting-host-wsh/ Going To Ground with The Windows Scripting Host (WSH)], by Devon Kerr, February 19, 2014
 +
 
 +
==== USB ====
 +
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
 +
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
 +
 
 +
==== WMI ====
 +
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
 +
 
 +
==== Windows Error Reporting (WER) ====
 +
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 +
* [http://journeyintoir.blogspot.ch/2014/02/exploring-windows-error-reporting.html Exploring Windows Error Reporting], by [[Corey Harrell]], February 24, 2014
  
=== Commercial ===
+
==== Windows Firewall ====
 +
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
 +
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
  
=== Free - Non Open Source ===
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
+
  
=== Open Source ===
+
=== Windows XP ===
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser], Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.
+
  
 +
[[Category:Operating systems]]
 
[[Category:Windows]]
 
[[Category:Windows]]

Revision as of 03:24, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

  • Basic and Dynamic Disks, see: [1]

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

  • Prefetch
  • System Restore (Restore Points); also present in Windows ME

SP2

  • Windows Firewall

Introduced in Windows Server 2003

  • Volume Shadow Copies

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Recycle Bin

The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system.

RECYCLER

The Recycler format is used by Windows 2000, XP.

Per user Recycle Bin folder in the form:

C:\Recycler\%SID%\

Which contains:

  • INFO2 file; "Recycled" files metadata

$RECYCLE.BIN

The $Recycle.Bin is used as of Windows Vista.

Per user Recycle Bin folder in the form:

C:\$Recycle.Bin\%SID%\

Which contains:

  • $I files; "Recycled" file metadata
  • $R files; the original data

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Vista thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

Search

See Windows Desktop Search

Setup API Logs

Windows Vista introduced several new Setup API Log files [2].

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is store in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

External Links

Recycle Bin

Malware/Rootkits

Program execution

Tracking removable media

Under the hood

MSI

Side-by-side (WinSxS)

Application Experience and Compatibility

System Restore (Restore Points)

Crash dumps

RPC

User Account Control (UAC)

Windows Event Logs

Windows Scripting Host

USB

WMI

Windows Error Reporting (WER)

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP