Difference between pages "List of Jump List IDs" and "Windows 8"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
== Jump Lists ==
+
Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system
+
  
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder.  Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
+
== New Features ==
 +
The following new features were introduced in Windows 8:
 +
* [[Windows File History | File History]]
 +
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
  
 +
== File System ==
 +
The file system used by Windows 8 is primarily [[NTFS]].
 +
 +
The [[Resilient File System (ReFS)]] was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.
 +
 +
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
  
=== AutomaticDestinations ===
+
== [[Prefetch]] ==
Path: C:\Users\user\Recent\AutomaticDestinations
+
The prefetch hash function is similar to [[Windows 2008]].
Files: *.automaticDestinations
+
  
Structure - The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification.
+
The [[Windows Prefetch File Format]] was changed on Windows 8.1 to version 26. (note this could be Windows 8 as well but has not been confirmed)
  
 +
== Registry ==
 +
The [[Windows_Registry|Windows Registry]] remains a core component of the Windows operating system.
  
=== CustomDestinations ===
+
== Application Experience and Compatibility ==
Path: C:\Users\user\Recent\CustomDestinations
+
On Windows 8 Amcache.hve replaces RecentFileCache.bcf and uses the [[Windows NT Registry File (REGF)]] format. A common location for Amcache.hve is:
Files: *.customDestinations
+
<pre>
 +
C:\Windows\AppCompat\Programs\Amcache.hve
 +
</pre>
  
Structure
+
== See Also ==
 +
* [[Windows]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
  
=== AppIDs ===
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
* [http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html Windows 8 and 8.1: Search Charm History], by [[Jason Hale]], September 9, 2013
 +
* [http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html Amcache.hve in Windows 8 - Goldmine for malware hunters], by Yogesh Khatri, December 4, 2013
 +
* [http://www.swiftforensics.com/2013/12/amcachehve-part-2.html Amcache.hve - Part 2], by Yogesh Khatri, December 16, 2013
  
<table border="1">
+
[[Category:Operating systems]]
<tr><td>1b4dd67f29cb1962</td><td>Explorer (task bar folder icon)</td>
+
<tr><td>1bc392b8e104a00e</td><td>Remote Desktop</td></tr>
+
<tr><td>23646679aaccfae0</td><td>Adobe Reader 9 x64</td></tr>
+
<tr><td>271e609288e1210a</td><td>Access 2010 x86</td></tr>
+
<tr><td>28c8b86deab549a1</td><td>Internet Explorer x86</td></tr>
+
<tr><td>290532160612e071</td><td>WinRar x64</td></tr>
+
<tr><td>2b53c4ddf69195fc</td><td>Zune x64</td></tr>
+
<tr><td>3094cdb43bf5e9c2</td><td>OneNote 2010 x86</td></tr>
+
<tr><td>5da8f997fd5f9428</td><td>Internet Explorer x64</td></tr>
+
<tr><td>74d7f43c1561fc1e</td><td>Windows Media Player</td></tr>
+
<tr><td>9839aec31243a928</td><td>Excel 2010 x86</td></tr>
+
<tr><td>9b9cdc69c1c24e2b</td><td>Notepad x64</td></tr>
+
<tr><td>9c7cc110ff56d1bd</td><td>PowerPoint 2010 x86</td></tr>
+
<tr><td>a7bd71699cd38d1c</td><td>Word 2010 x86</td></tr>
+
<tr><td>b8c29862d9f95832</td><td>InfoPath 2010 x86</td></tr>
+
<tr><td>b91050d8b077a4e8</td><td>Windows Media Center  x64</td></tr>
+
<tr><td>be71009ff8bb02a2</td><td>Outlook x86</td></tr>
+
<tr><td>d64d36b238c843a3</td><td>InfoPath 2010 x86</td></tr>
+
<tr><td>e36bfc8972e5ab1d</td><td>XPS Viewer</td></tr>
+
<tr><td>17d3eb086439f0d7</td><td>TrueCrypt 7.0a</td></tr>
+
<tr><td>adecfb853d77462a</td><td>MSWord 2007</td></tr>
+
<tr><td>c71ef2c372d322d7</td><td>PGP Desktop 10</td></tr>
+
<tr><td>cdf30b95c55fd785</td><td>MSExcel 2007</td></tr>
+
<tr><td>f5ac5390b9115fdb</td><td>MSPowerPoint 2007</td></tr>
+
<tr><td>12dc1ea8e34b5a6</td><td>MSPaint 6.1</td></tr>
+
<tr><td>431a5b43435cc60b</td><td>Python (.pyc)</td></tr>
+
<tr><td>469e4a7982cea4d4</td><td>? (.job)</td></tr>
+
<tr><td>500b8c1d5302fc9c</td><td>(.pyw)</td></tr>
+
<tr><td>50620fe75ee0093</td><td>VMWare Player 3.1.4</td></tr>
+
<tr><td>65009083bfa6a094</td><td>(app launched via XPMode)</td></tr>
+
<tr><td>7e4dca80246863e3</td><td>Control Panel</td></tr>
+
<tr><td>83b03b46dcd30a0e</td><td>iTunes 10</td></tr>
+
<tr><td>b0459de4674aab56</td><td>(.vmcx)</td></tr>
+
</table>
+

Latest revision as of 14:13, 16 December 2013

Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.

Contents

New Features

The following new features were introduced in Windows 8:

File System

The file system used by Windows 8 is primarily NTFS.

The Resilient File System (ReFS) was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.

Jump Lists

Jump Lists are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.

Prefetch

The prefetch hash function is similar to Windows 2008.

The Windows Prefetch File Format was changed on Windows 8.1 to version 26. (note this could be Windows 8 as well but has not been confirmed)

Registry

The Windows Registry remains a core component of the Windows operating system.

Application Experience and Compatibility

On Windows 8 Amcache.hve replaces RecentFileCache.bcf and uses the Windows NT Registry File (REGF) format. A common location for Amcache.hve is:

C:\Windows\AppCompat\Programs\Amcache.hve

See Also

External Links