Difference between pages "File Systems" and "Windows 7"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(External Links)
 
Line 1: Line 1:
= Conventional File Systems =  
+
== New Features ==
 +
* [[BitLocker Disk Encryption | BitLocker To Go]]
 +
* [[Jump Lists]]
 +
* [[Sticky Notes]]
  
; [[ext2]], [[ext3]]
+
== File System ==
: ext2 was introduced with [[Linux]]. ext3 is a journaled version of ext2 which allows for speedy disk recovery after a crash.
+
The file system used by Windows 7 is primarily [[NTFS]].
  
; [[FAT]]
+
== SSD ==
: Originally used by [[MS-DOS]]. Includes [[FAT12]] (for floppy disks), [[FAT16]] and [[FAT32]].
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
  
; [[ffs]]
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
: The '''Fast File System''' used by some BSD versions of [[UNIX]] and from which [[UFS]] was derived supporting faster disk access and [[symbolic link]]s like ffs.
+
<blockquote>
 +
Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.
 +
</blockquote>
  
; [[HFS]]
+
== Jump Lists ==
: Used by [[Apple]] systems, it has been succeed by [[HFS Plus|HFS+]].
+
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
  
; [[JFS]]
+
== [[Prefetch]] ==
: IBM's Journaled File System introduced with their flavor of UNIX (AIX)
+
The prefetch hash function is similar to [[Windows 2008]].
  
; [[NTFS]]
+
== Registry ==
: The '''New Technology File System''', introduced by [[Microsoft]] with [[Windows NT]] 4.0. Now used on [[Windows XP]].
+
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows 7 operating system.
  
; [[reiserfs]]
+
=== Known Registry keys of forensic interest ===
: A journaling filesystem for Linux.
+
  
; [[UFS]]
+
====SAM Registry====
: The '''Unix File System''', introduced with [[UNIX]].
+
*SAM\SAM\Domains\Account\Users
 +
*SAM\SAM\Domains\Builtin\Aliases
  
; [[XFS]]
 
: [[SGI]]’s high performance journaling filesystem that originated on their [[IRIX]] (flavor of [[UNIX]]) platform. XFS supports variable blocking sizes, is extent based, and makes extensive use of [[Btree]]s to facilitate both performance and scalability. Additionally, support is also provided for real-time environments.
 
  
= Cryptographic File Systems =
+
====Security Registry====
  
'''Cryptographic file systems,''' also known as encrypted file systems, encrypt information before it is stored on the media. Some of these file systems store encrypted files directly. Others are better thought of as device drivers, which are then used to store some of the file systems discussed above.
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
 +
*Security\Policy\PolAdtEv
 +
*Security\Policy\Secrets
  
; [[File Vault]]
+
====NTUSER Registry====
: A clever user interface to [[Apple]]'s encrypted disk images. Uses the ".sparseimage" extension on disk files.
+
*NTUSER\Control Panel\Desktop
 +
*NTUSER\Control Panel\don\
 +
*NTUSER\Environment
 +
*NTUSER\Network
 +
*NTUSER\Printers\Settings\Wizard\ConnectMRU
 +
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
 +
*NTUSER\Software\Ahead
 +
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
 +
*NTUSER\Software\Ares
 +
*NTUSER\Software\bindshell.net\Odysseus
 +
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
 +
*NTUSER\Software\Cain\Settings
 +
*NTUSER\Software\DECAFme
 +
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
 +
*NTUSER\Software\Google\NavClient\1.1\History
 +
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
 +
*NTUSER\Software\JavaSoft\Prefs\haven
 +
*NTUSER\Software\Microsoft
 +
*NTUSER\Software\Microsoft\Command Processor
 +
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
 +
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
 +
*NTUSER\Software\Microsoft\Internet Explorer\Main
 +
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
 +
*NTUSER\Software\Microsoft\Internet Explorer\Settings
 +
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
 +
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
 +
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
 +
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
 +
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
 +
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
 +
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
 +
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
 +
*NTUSER\Software\Microsoft\PIMSRV
 +
*NTUSER\Software\Microsoft\Search Assistant\ACMru
 +
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
 +
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\User Location Service\Client
 +
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
 +
*NTUSER\Software\Microsoft\Windows Live Mail
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
 +
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
 +
*NTUSER\Software\Nico Mak Computing\WinZip
 +
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
 +
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\Piriform\CCleaner
 +
*NTUSER\Software\Privoxy
 +
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
 +
*NTUSER\Software\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
 +
*NTUSER\Software\Skype
 +
*NTUSER\Software\SmartLine Vision\aports
 +
*NTUSER\Software\SysInternals
 +
*NTUSER\Software\Sysinternals\RootkitRevealer
 +
*NTUSER\Software\VMware
 +
*NTUSER\Software\WinRAR\ArcHistory
  
; [[CFS]]
+
== See Also ==
: Matt Blaze's '''Cryptographic File System''' for [[Unix]].
+
* [[Windows]]
: [http://www.crypto.com/papers/cfskey.pdf Key Management in an Encrypting File System], Matt Blaze, USENIX Summer 1994 Technical Conference, Boston, MA, June 1994.
+
* [[Windows Vista]]
: [http://www.crypto.com/papers/cfs.pdf A Cryptographic File System for Unix], Matt Blaze, Proceedings of the First ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993.
+
* [[Windows 8]]
  
; [[Windows Encrypted File System |EFS]]
+
== External Links ==
: EFS is the Encrypted File System built into versions of Microsoft Windows.  
+
* [http://dfstream.blogspot.ch/2014/01/the-windows-7-event-log-and-usb-device.html The Windows 7 Event Log and USB Device Tracking], by [[Jason Hale]], January 2, 2014
  
; [[NCryptfs]]
+
[[Category:Operating systems]]
: [http://www.fsl.cs.sunysb.edu/docs/ncryptfs/ncryptfs.pdf NCryptfs: A Secure and Convenient Cryptographic File System], Charles P. Wright, Michael C. Martino, and Erez Zadok, Stony Brook University, USENIX 2003 Annual Technical Conference.
+
 
+
; [[TCFS]]
+
: '''Transparent Cryptographic File System'''.
+
: http://www.tcfs.it/
+
: http://www.tcfs.it/docs/tcfs.ps
+
 
+
; [[SFS]]
+
: '''Secure File System'''.
+
: http://atrey.karlin.mff.cuni.cz/~rebel/sfs/
+
 
+
See also [[Full Disk Encryption]], which are disk- or applicance-based cryptographic file systems.
+
 
+
= External Links =
+
 
+
* http://en.wikipedia.org/wiki/File_system
+
* http://en.wikipedia.org/wiki/List_of_file_systems
+
* http://en.wikipedia.org/wiki/Comparison_of_file_systems
+

Latest revision as of 11:28, 3 January 2014

Contents

New Features

File System

The file system used by Windows 7 is primarily NTFS.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states:

Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.

Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Prefetch

The prefetch hash function is similar to Windows 2008.

Registry

The Windows Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory

See Also

External Links