Difference between pages "Adrian Santangelo" and "Windows 7"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Formatting, added additional information)
 
 
Line 1: Line 1:
[[File:AdrianSantangelo.jpg|200px|thumb|right|Adrian Santangelo]] Adrian Santangelo has over a decade of computer forensic experience which started with deep roots in information and network security. He has been a self-employed computer security and forensic consultant all his adult life. After starting ISC Unlimited as a computer security consulting firm in 1996, he quickly branched out to digital forensics and cyber sleuthing. He has been an active participant in many online forums and mailing list discussions, with plenty of information readily available about him with a simple Google search. (Much of his online security history has been done under an alias.)
 
  
He currently owns and operates Interpreting Technology, an information technology consulting firm. In Feb 2012, he was sworn in as a Skagit County Sheriff's Deputy, commissioned for computer crime and forensics. (He is currently a computer crime and forensic consultant to both law enforcement  and attorneys.) His current career goal is to branch out as either a law enforcement team leader for digital forensics, focusing on northwest Washington state, or to continue to be a professional forensics consultant to the public and private sector. He is well known locally for his network security and computer repair talents. Currently held (or close to acquiring) certifications include: MCP, MNE, A+, Security+, Network+, MCSE, CCNA, CEH, CISSP, CFCE, CCE, and CHFI.
 
  
On this wiki, Adrian Santangelo is known as [[User:Adrian Santangelo]].
+
== File Structure ==
 +
File systems are covered separately.
  
== External Links ==  
+
== SSD ==
* [http://www.ISC-Unlimited.com/ ISC Unlimited (no longer maintained)]
+
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
* [http://www.InterpretingTech.com/ Interpreting Technology]
+
* [http://www.skagitcounty.net/Common/asp/default.asp?d=Sheriff&c=General&p=main.htm Skagit County Sheriff's Department]
+
* [http://www.LinkedIn.com/in/AdrianSantangelo/ LinkedIn Profile]
+
* [http://www.facebook.com/InterpretingTech Business Facebook Page]
+
* [http://www.facebook.com/Adrian.Santangelo Personal Facebook Page]
+
* [http://adriansantangelo.brandyourself.com/ BrandYourself Profile]
+
  
[[Category:People]]
+
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
 +
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
 +
 
 +
 +
 
 +
 
 +
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
 +
 
 +
== Registry ==
 +
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
 +
 
 +
=== Known Registry keys of forensic interest ===
 +
 
 +
====SAM Registry====
 +
*SAM\SAM\Domains\Account\Users
 +
*SAM\SAM\Domains\Builtin\Aliases
 +
 
 +
 
 +
====Security Registry====
 +
 
 +
*Security\Policy\PolAcDmSPolicy\PolPrDmS
 +
*Security\Policy\PolAdtEv
 +
*Security\Policy\Secrets
 +
 
 +
====NTUSER Registry====
 +
*NTUSER\Control Panel\Desktop
 +
*NTUSER\Control Panel\don\
 +
*NTUSER\Environment
 +
*NTUSER\Network
 +
*NTUSER\Printers\Settings\Wizard\ConnectMRU
 +
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
 +
*NTUSER\Software\Ahead
 +
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
 +
*NTUSER\Software\Ares
 +
*NTUSER\Software\bindshell.net\Odysseus
 +
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
 +
*NTUSER\Software\Cain\Settings
 +
*NTUSER\Software\DECAFme
 +
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
 +
*NTUSER\Software\Google\NavClient\1.1\History
 +
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
 +
*NTUSER\Software\JavaSoft\Prefs\haven
 +
*NTUSER\Software\Microsoft
 +
*NTUSER\Software\Microsoft\Command Processor
 +
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
 +
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
 +
*NTUSER\Software\Microsoft\Internet Explorer\Main
 +
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
 +
*NTUSER\Software\Microsoft\Internet Explorer\Settings
 +
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
 +
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
 +
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
 +
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
 +
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
 +
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
 +
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
 +
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
 +
*NTUSER\Software\Microsoft\PIMSRV
 +
*NTUSER\Software\Microsoft\Search Assistant\ACMru
 +
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
 +
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
 +
*NTUSER\Software\Microsoft\User Location Service\Client
 +
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
 +
*NTUSER\Software\Microsoft\Windows Live Mail
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
 +
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
 +
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
 +
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
 +
*NTUSER\Software\Nico Mak Computing\WinZip
 +
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
 +
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\Piriform\CCleaner
 +
*NTUSER\Software\Privoxy
 +
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
 +
*NTUSER\Software\RealVNC\VNCViewer4\MRU
 +
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
 +
*NTUSER\Software\Skype
 +
*NTUSER\Software\SmartLine Vision\aports
 +
*NTUSER\Software\SysInternals
 +
*NTUSER\Software\Sysinternals\RootkitRevealer
 +
*NTUSER\Software\VMware
 +
*NTUSER\Software\WinRAR\ArcHistory
 +
 
 +
== See Also =
 +
* [[Windows]]
 +
 
 +
[[Category:Operating systems]]

Revision as of 07:58, 14 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known Registry keys of forensic interest

SAM Registry

  • SAM\SAM\Domains\Account\Users
  • SAM\SAM\Domains\Builtin\Aliases


Security Registry

  • Security\Policy\PolAcDmSPolicy\PolPrDmS
  • Security\Policy\PolAdtEv
  • Security\Policy\Secrets

NTUSER Registry

  • NTUSER\Control Panel\Desktop
  • NTUSER\Control Panel\don\
  • NTUSER\Environment
  • NTUSER\Network
  • NTUSER\Printers\Settings\Wizard\ConnectMRU
  • NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
  • NTUSER\Software\Ahead
  • NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
  • NTUSER\Software\Ares
  • NTUSER\Software\bindshell.net\Odysseus
  • NTUSER\Software\Blizzard Entertainment\Warcraft III\String
  • NTUSER\Software\Cain\Settings
  • NTUSER\Software\DECAFme
  • NTUSER\Software\Google\Google Toolbar\4.0\whitelist
  • NTUSER\Software\Google\NavClient\1.1\History
  • NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
  • NTUSER\Software\JavaSoft\Prefs\haven
  • NTUSER\Software\Microsoft
  • NTUSER\Software\Microsoft\Command Processor
  • NTUSER\Software\Microsoft\Dependency Walker\Recent File List
  • NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
  • NTUSER\Software\Microsoft\Internet Explorer\Main
  • NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
  • NTUSER\Software\Microsoft\Internet Explorer\Settings
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
  • NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
  • NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
  • NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
  • NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
  • NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
  • NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
  • NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
  • NTUSER\Software\Microsoft\PIMSRV
  • NTUSER\Software\Microsoft\Search Assistant\ACMru
  • NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
  • NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\Terminal Server Client\Servers
  • NTUSER\Software\Microsoft\User Location Service\Client
  • NTUSER\Software\Microsoft\Windows Live Contacts\Database
  • NTUSER\Software\Microsoft\Windows Live Mail
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
  • NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
  • NTUSER\Software\Microsoft\Windows\CurrentVersion
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
  • NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
  • NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
  • NTUSER\Software\Nico Mak Computing\WinZip
  • NTUSER\Software\ORL\VNCHooks\Application_Prefs
  • NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\Piriform\CCleaner
  • NTUSER\Software\Privoxy
  • NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
  • NTUSER\Software\RealVNC\VNCViewer4\MRU
  • NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
  • NTUSER\Software\Skype
  • NTUSER\Software\SmartLine Vision\aports
  • NTUSER\Software\SysInternals
  • NTUSER\Software\Sysinternals\RootkitRevealer
  • NTUSER\Software\VMware
  • NTUSER\Software\WinRAR\ArcHistory

= See Also