Difference between revisions of "Windows 7"

From ForensicsWiki
Jump to: navigation, search
Line 23: Line 23:
 
'''SAM Registry'''
 
'''SAM Registry'''
  
SAM SAM\\Domains\\Account\\Users
+
SAM\\SAM\\Domains\\Account\\Users
  
SAM SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
  
  
 
'''Security Registry'''
 
'''Security Registry'''
  
Security Policy\\PolAcDmSPolicy\\PolPrDmS
+
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
  
Security Policy\\PolAdtEv
+
Security\\Policy\\PolAdtEv
  
Security Policy\\Secrets
+
Security\\Policy\\Secrets

Revision as of 12:23, 12 September 2013


File Structure

File systems are covered separately.

SSD

Per MS KB2727880, when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.

Further, this TechNet post states: Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.



Jump Lists

Jump Lists are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).

Registry

The Windows_Registry remains a central component of the Windows 7 operating system.

Known keys of forensic interest

SAM Registry

SAM\\SAM\\Domains\\Account\\Users

SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases


Security Registry

Security\\Policy\\PolAcDmSPolicy\\PolPrDmS

Security\\Policy\\PolAdtEv

Security\\Policy\\Secrets