Difference between pages "Windows 7" and "Windows 8"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Prefetch)
 
(Prefetch)
 
Line 1: Line 1:
 +
Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.
 +
 
== New Features ==
 
== New Features ==
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
The following new features were introduced in Windows 8:
* [[Jump Lists]]
+
* [[Windows Shadow Volumes | File History]]
* [[Sticky Notes]]
+
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
  
 
== File System ==  
 
== File System ==  
The file system used by Windows 7 is primarily [[NTFS]].
+
The file system used by Windows 8 is primarily [[NTFS]].
  
== SSD ==
+
The [[Resilient File System (ReFS)]] was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
 
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
<blockquote>
+
Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.
+
</blockquote>
+
  
 
== Jump Lists ==
 
== Jump Lists ==
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
  
 
== [[Prefetch]] ==
 
== [[Prefetch]] ==
 
The prefetch hash function is similar to [[Windows 2008]].
 
The prefetch hash function is similar to [[Windows 2008]].
  
== Registry ==
+
The [[Windows Prefetch File Format]] was changed on Windows 8.1 to version 26.
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows 7 operating system.
+
 
+
=== Known Registry keys of forensic interest ===
+
 
+
====SAM Registry====
+
*SAM\SAM\Domains\Account\Users
+
*SAM\SAM\Domains\Builtin\Aliases
+
 
+
 
+
====Security Registry====
+
 
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
+
*Security\Policy\PolAdtEv
+
*Security\Policy\Secrets
+
  
====NTUSER Registry====
+
== Registry ==
*NTUSER\Control Panel\Desktop
+
The [[Windows_Registry|Windows Registry]] remains a core component of the Windows operating system.
*NTUSER\Control Panel\don\
+
*NTUSER\Environment
+
*NTUSER\Network
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
+
*NTUSER\Software\Ahead
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
+
*NTUSER\Software\Ares
+
*NTUSER\Software\bindshell.net\Odysseus
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
+
*NTUSER\Software\Cain\Settings
+
*NTUSER\Software\DECAFme
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
+
*NTUSER\Software\Google\NavClient\1.1\History
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
+
*NTUSER\Software\JavaSoft\Prefs\haven
+
*NTUSER\Software\Microsoft
+
*NTUSER\Software\Microsoft\Command Processor
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
+
*NTUSER\Software\Microsoft\PIMSRV
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\User Location Service\Client
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
+
*NTUSER\Software\Microsoft\Windows Live Mail
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
+
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
+
*NTUSER\Software\Nico Mak Computing\WinZip
+
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
+
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\Piriform\CCleaner
+
*NTUSER\Software\Privoxy
+
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
+
*NTUSER\Software\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
+
*NTUSER\Software\Skype
+
*NTUSER\Software\SmartLine Vision\aports
+
*NTUSER\Software\SysInternals
+
*NTUSER\Software\Sysinternals\RootkitRevealer
+
*NTUSER\Software\VMware
+
*NTUSER\Software\WinRAR\ArcHistory
+
  
 
== See Also ==
 
== See Also ==
 
* [[Windows]]
 
* [[Windows]]
 
* [[Windows Vista]]
 
* [[Windows Vista]]
* [[Windows 8]]
+
* [[Windows 7]]
  
 
== External Links ==
 
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
* [http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html indows 8 and 8.1: Search Charm History], by [[Jason Hale]], September 9, 2013
  
 
[[Category:Operating systems]]
 
[[Category:Operating systems]]

Revision as of 13:18, 20 October 2013

Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.

New Features

The following new features were introduced in Windows 8:

File System

The file system used by Windows 8 is primarily NTFS.

The Resilient File System (ReFS) was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.

Jump Lists

Jump Lists are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.

Prefetch

The prefetch hash function is similar to Windows 2008.

The Windows Prefetch File Format was changed on Windows 8.1 to version 26.

Registry

The Windows Registry remains a core component of the Windows operating system.

See Also

External Links