Difference between pages "Windows" and "ReadyBoot"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
 
 
There are 2 main branches of Windows:
 
* the DOS-branch: i.e. Windows 95, 98, ME
 
* the NT-branch: i.e. Windows NT 4, XP, Vista
 
 
== Features ==
 
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
 
 
=== Introduced in Windows NT ===
 
* [[NTFS]]
 
 
=== Introduced in Windows 2000 ===
 
 
=== Introduced in Windows XP ===
 
* [[Prefetch]]
 
* System Restore (Restore Points); also present in Windows ME
 
 
==== SP2 ====
 
* Windows Firewall
 
 
=== Introduced in Windows 2003 (Server) ===
 
* Volume Shadow Copies
 
 
=== Introduced in Windows Vista ===
 
* [[BitLocker Disk Encryption | BitLocker]]
 
* [[Windows Desktop Search | Search]] integrated in operating system
 
* [[ReadyBoost]]
 
* [[SuperFetch]]
 
* [[NTFS|Transactional NTFS (TxF)]]
 
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 
* $Recycle.Bin
 
* [[Windows XML Event Log (EVTX)]]
 
* [[User Account Control (UAC)]]
 
 
=== Introduced in Windows 2008 (Server) ===
 
 
=== Introduced in Windows 7 ===
 
* [[BitLocker Disk Encryption | BitLocker To Go]]
 
* [[Jump Lists]]
 
* [[Sticky Notes]]
 
 
=== Introduced in Windows 8 ===
 
* [[Windows Shadow Volumes | File History]]
 
* [[Windows Storage Spaces | Storage Spaces]]
 
* [[Resilient File System (ReFS)]]; server edition will likely be available in Windows Server 2012
 
 
== Forensics ==
 
 
=== Partition layout ===
 
Default partition layout, first partition starts:
 
* at sector 63 in Windows 2000, XP, 2003
 
* at sector 2048 in Windows Vista, 2008, 7
 
 
=== Filesystems ===
 
* [[FAT]], [[FAT|exFAT]]
 
* [[NTFS]]
 
* [[Resilient File System (ReFS) | ReFS]]
 
 
=== Recycle Bin ===
 
 
==== RECYCLER ====
 
Used by Windows 2000, XP.
 
Uses INFO2 file.
 
 
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
 
 
==== $RECYCLE.BIN ====
 
Used by Windows Vista.
 
Uses $I and $R files.
 
 
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
 
 
=== Registry ===
 
 
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
 
 
=== Thumbs.db Files ===
 
 
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
 
 
See also: [[Vista thumbcache]].
 
 
=== Browser Cache ===
 
 
=== Browser History ===
 
 
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
 
 
=== Search ===
 
See [[Windows Desktop Search]]
 
 
=== Setup log files (setupapi.log) ===
 
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
 
 
=== Sleep/Hibernation ===
 
 
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
 
 
=== Users ===
 
Windows stores a users Security identifiers (SIDs) under the following registry key:
 
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
%SystemRoot%\Prefetch\ReadyBoot
 
</pre>
 
</pre>
  
The %SID%\ProfileImagePath value should also contain the username.
+
The following files can be found in the ReadyBoot directory:
 
+
* <tt>rblayout.xin</tt>
=== Windows Error Reporting (WER) ===
+
* <tt>Trace*.fx</tt>;
 
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
+
<pre>
+
C:\ProgramData\Microsoft\Windows\WER\
+
</pre>
+
 
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
<pre>
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
</pre>
+
 
+
Corresponding registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
</pre>
+
 
+
== Advanced Format (4KB Sector) Hard Drives ==
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
 
+
== %SystemRoot% ==
+
The actual value of %SystemRoot% is store in the following registry value:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
Value: SystemRoot
+
</pre>
+
  
 
== See Also ==
 
== See Also ==
* [[Windows Event Log (EVT)]]
+
* [[Prefetch]]
* [[Windows XML Event Log (EVTX)]]
+
* [[SuperFetch]]
* [[Windows 7]]
+
* [[Windows]]
* [[Windows 8]]
+
  
 
== External Links ==
 
== External Links ==
  
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
[[Category:Windows]]
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
+
 
+
=== Malware/Rootkits ===
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
+
 
+
=== Tracking removable media ===
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
+
 
+
=== Under the hood ===
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
 
+
==== MSI ====
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
+
 
+
==== Side-by-side (WinSxS) ====
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
 
+
==== Application Compatibility Database ====
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
 
+
==== System Restore (Restore Points) ====
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
==== Crash dumps ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
+
 
+
==== ReadyBoost ====
+
* [http://en.wikipedia.org/wiki/ReadyBoost Wikipedia: ReadyBoost]
+
* [http://windowsir.blogspot.ch/2013/04/plugin-emdmgmt.html Plugin: EMDMgmt], by [[Harlan Carvey]], April 05, 2013
+
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-65-understanding-artifacts.html Understanding the artifacts EMDMgmt], by [[David Cowen]], August 27, 2013
+
 
+
==== Windows Firewall ====
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
 
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
 
+
=== Windows XP ===
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
 
+
[[Category:Operating systems]]
+

Latest revision as of 01:10, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

%SystemRoot%\Prefetch\ReadyBoot

The following files can be found in the ReadyBoot directory:

  • rblayout.xin
  • Trace*.fx;

See Also

External Links