Difference between pages "Windows" and "File:3-samsung-s3-sgh-i747m-disassembly-screws.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Introduced in Windows 8)
 
 
Line 1: Line 1:
{{Expand}}
 
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
 
 
There are 2 main branches of Windows:
 
* the DOS-branch: i.e. Windows 95, 98, ME
 
* the NT-branch: i.e. Windows NT 4, XP, Vista
 
 
== Features ==
 
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
 
 
=== Introduced in Windows NT ===
 
* [[NTFS]]
 
 
=== Introduced in Windows 2000 ===
 
 
=== Introduced in Windows XP ===
 
* [[Prefetch]]
 
* System Restore (Restore Points); also present in Windows ME
 
 
==== SP2 ====
 
* Windows Firewall
 
 
=== Introduced in Windows Server 2003 ===
 
* Volume Shadow Copies
 
 
=== Introduced in [[Windows Vista]] ===
 
* [[BitLocker Disk Encryption | BitLocker]]
 
* [[Windows Desktop Search | Search]] integrated in operating system
 
* [[ReadyBoost]]
 
* [[SuperFetch]]
 
* [[NTFS|Transactional NTFS (TxF)]]
 
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 
* $Recycle.Bin
 
* [[Windows XML Event Log (EVTX)]]
 
* [[User Account Control (UAC)]]
 
 
=== Introduced in Windows Server 2008 ===
 
 
=== Introduced in [[Windows 7]] ===
 
* [[BitLocker Disk Encryption | BitLocker To Go]]
 
* [[Jump Lists]]
 
* [[Sticky Notes]]
 
 
=== Introduced in [[Windows 8]] ===
 
* [[Windows Shadow Volumes | File History]]
 
* [[Windows Storage Spaces | Storage Spaces]]
 
* [[Search Charm History]]
 
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
 
 
=== Introduced in Windows Server 2012 ===
 
* [[Resilient File System (ReFS)]]
 
 
== Forensics ==
 
 
=== Partition layout ===
 
Default partition layout, first partition starts:
 
* at sector 63 in Windows 2000, XP, 2003
 
* at sector 2048 in Windows Vista, 2008, 7
 
 
=== Filesystems ===
 
* [[FAT]], [[FAT|exFAT]]
 
* [[NTFS]]
 
* [[Resilient File System (ReFS) | ReFS]]
 
 
=== Recycle Bin ===
 
 
==== RECYCLER ====
 
Used by Windows 2000, XP.
 
Uses INFO2 file.
 
 
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
 
 
==== $RECYCLE.BIN ====
 
Used by Windows Vista.
 
Uses $I and $R files.
 
 
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
 
 
=== Registry ===
 
 
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
 
 
=== Thumbs.db Files ===
 
 
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
 
 
See also: [[Vista thumbcache]].
 
 
=== Browser Cache ===
 
 
=== Browser History ===
 
 
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
 
 
=== Search ===
 
See [[Windows Desktop Search]]
 
 
=== Setup log files (setupapi.log) ===
 
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
 
 
=== Sleep/Hibernation ===
 
 
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
 
 
=== Users ===
 
Windows stores a users Security identifiers (SIDs) under the following registry key:
 
<pre>
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
 
</pre>
 
 
The %SID%\ProfileImagePath value should also contain the username.
 
 
=== Windows Error Reporting (WER) ===
 
 
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
 
<pre>
 
C:\ProgramData\Microsoft\Windows\WER\
 
</pre>
 
 
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
 
<pre>
 
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
 
</pre>
 
 
Corresponding registry key:
 
<pre>
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
 
</pre>
 
 
== Advanced Format (4KB Sector) Hard Drives ==
 
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
 
 
== %SystemRoot% ==
 
The actual value of %SystemRoot% is store in the following registry value:
 
<pre>
 
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 
Value: SystemRoot
 
</pre>
 
 
== See Also ==
 
* [[Windows Event Log (EVT)]]
 
* [[Windows XML Event Log (EVTX)]]
 
* [[Windows Vista]]
 
* [[Windows 7]]
 
* [[Windows 8]]
 
 
== External Links ==
 
 
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
 
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
 
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
 
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
 
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
 
 
=== Malware/Rootkits ===
 
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
 
 
=== Tracking removable media ===
 
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
 
 
=== Under the hood ===
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
 
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
 
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
 
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
 
 
==== MSI ====
 
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
 
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
 
 
==== Side-by-side (WinSxS) ====
 
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
 
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
 
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
 
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
 
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
 
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
 
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
 
 
==== Application Compatibility Database ====
 
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 
 
==== System Restore (Restore Points) ====
 
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
 
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
 
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
 
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
 
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
 
 
==== Crash dumps ====
 
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
 
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
 
 
==== WMI ====
 
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
 
 
==== Windows Firewall ====
 
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
 
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
 
 
==== Windows 32-bit on Windows 64-bit (WoW64) ====
 
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
 
 
=== Windows XP ===
 
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
 
 
[[Category:Operating systems]]
 

Latest revision as of 17:10, 23 January 2014