Difference between pages "Windows" and "Zeitgeist"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
Zeitgeist is a service which logs the users's activities and events, anywhere from files opened to websites visited and conversations.
  
There are 2 main branches of Windows:
+
== activity.sqlite ==
* the DOS-branch: i.e. Windows 95, 98, ME
+
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
 
+
== Features ==
+
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
 
+
=== Introduced in Windows NT ===
+
* [[NTFS]]
+
 
+
=== Introduced in Windows 2000 ===
+
 
+
=== Introduced in Windows XP ===
+
* [[Prefetch]]
+
* System Restore (Restore Points); also present in Windows ME
+
 
+
==== SP2 ====
+
* Windows Firewall
+
 
+
=== Introduced in Windows Server 2003 ===
+
* Volume Shadow Copies
+
 
+
=== Introduced in [[Windows Vista]] ===
+
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
 
+
=== Introduced in Windows Server 2008 ===
+
 
+
=== Introduced in [[Windows 7]] ===
+
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
* [[Jump Lists]]
+
* [[Sticky Notes]]
+
 
+
=== Introduced in [[Windows 8]] ===
+
* [[Windows Shadow Volumes | File History]]
+
* [[Windows Storage Spaces | Storage Spaces]]
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
+
 
+
=== Introduced in Windows Server 2012 ===
+
* [[Resilient File System (ReFS)]]
+
 
+
== Forensics ==
+
 
+
=== Partition layout ===
+
Default partition layout, first partition starts:
+
* at sector 63 in Windows 2000, XP, 2003
+
* at sector 2048 in Windows Vista, 2008, 7
+
 
+
=== Filesystems ===
+
* [[FAT]], [[FAT|exFAT]]
+
* [[NTFS]]
+
* [[Resilient File System (ReFS) | ReFS]]
+
 
+
=== Recycle Bin ===
+
 
+
==== RECYCLER ====
+
Used by Windows 2000, XP.
+
Uses INFO2 file.
+
 
+
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
+
 
+
==== $RECYCLE.BIN ====
+
Used by Windows Vista.
+
Uses $I and $R files.
+
 
+
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
 
+
=== Registry ===
+
 
+
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
 
+
=== Thumbs.db Files ===
+
 
+
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
+
 
+
See also: [[Vista thumbcache]].
+
 
+
=== Browser Cache ===
+
 
+
=== Browser History ===
+
 
+
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
 
+
=== Search ===
+
See [[Windows Desktop Search]]
+
 
+
=== Setup log files (setupapi.log) ===
+
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
 
+
=== Sleep/Hibernation ===
+
 
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
 
+
=== Users ===
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
$HOME/.local/share/zeitgeist/activity.sqlite
 
</pre>
 
</pre>
  
The %SID%\ProfileImagePath value should also contain the username.
+
event_view seems one of the more interesting tables (which is technically a view and not a table).
  
=== Windows Error Reporting (WER) ===
+
The timestamp is formatter in milli seconds sinds POSIX epoch (Jan 1, 1970 00:00:00 UTC)
  
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
 
 
<pre>
 
<pre>
C:\ProgramData\Microsoft\Windows\WER\
+
SELECT datetime((timestamp/1000), "unixepoch"), subj_uri, subj_origin_uri, subj_text, subj_storage, event_origin_uri, actor_uri FROM event_view;
 
</pre>
 
</pre>
 
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
 
<pre>
 
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
 
</pre>
 
 
Corresponding registry key:
 
<pre>
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
 
</pre>
 
 
== Advanced Format (4KB Sector) Hard Drives ==
 
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
 
 
== %SystemRoot% ==
 
The actual value of %SystemRoot% is store in the following registry value:
 
<pre>
 
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
 
Value: SystemRoot
 
</pre>
 
 
== See Also ==
 
* [[Windows Event Log (EVT)]]
 
* [[Windows XML Event Log (EVTX)]]
 
* [[Windows Vista]]
 
* [[Windows 7]]
 
* [[Windows 8]]
 
  
 
== External Links ==
 
== External Links ==
 +
* [http://zeitgeist-project.com/ Zeitgeist Project site]
 +
* [http://en.wikipedia.org/wiki/Zeitgeist_(framework) Wikipedia: Zeitgeist (framework)]
  
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
[[Category:Applications]]
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
[[Category:Linux]]
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
+
 
+
=== Malware/Rootkits ===
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
+
 
+
=== Tracking removable media ===
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
+
 
+
=== Under the hood ===
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
 
+
==== MSI ====
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
+
 
+
==== Side-by-side (WinSxS) ====
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
 
+
==== Application Compatibility Database ====
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
 
+
==== System Restore (Restore Points) ====
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
==== Crash dumps ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
+
 
+
==== Windows Firewall ====
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
 
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
 
+
=== Windows XP ===
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
 
+
[[Category:Operating systems]]
+

Latest revision as of 09:42, 14 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Zeitgeist is a service which logs the users's activities and events, anywhere from files opened to websites visited and conversations.

activity.sqlite

$HOME/.local/share/zeitgeist/activity.sqlite

event_view seems one of the more interesting tables (which is technically a view and not a table).

The timestamp is formatter in milli seconds sinds POSIX epoch (Jan 1, 1970 00:00:00 UTC)

SELECT datetime((timestamp/1000), "unixepoch"), subj_uri, subj_origin_uri, subj_text, subj_storage, event_origin_uri, actor_uri FROM event_view;

External Links