www.forensickb.com
Open in
urlscan Pro
2a00:1450:4001:810::2013
Public Scan
Submitted URL: http://www.forensickb.com/2009/12/forensic-review-of-windows-7-part-i.html
Effective URL: https://www.forensickb.com/2009/12/forensic-review-of-windows-7-part-i.html
Submission: On May 12 via api from US — Scanned from DE
Effective URL: https://www.forensickb.com/2009/12/forensic-review-of-windows-7-part-i.html
Submission: On May 12 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
https://www.forensickb.com/search
<form action="https://www.forensickb.com/search" class="gsc-search-box" target="_top">
<table cellpadding="0" cellspacing="0" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<input autocomplete="off" class="gsc-input" name="q" size="10" title="search" type="text" value="">
</td>
<td class="gsc-search-button">
<input class="gsc-search-button" title="search" type="submit" value="Search">
</td>
</tr>
</tbody>
</table>
</form>POST http://feedburner.google.com/fb/a/mailverify
<form action="http://feedburner.google.com/fb/a/mailverify" style="border:1px solid #ccc;padding:3px;text-align:center;" target="popupwindow" method="post"
onsubmit="window.open('http://feedburner.google.com/fb/a/mailverify?uri=forensickb', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">
<p>Enter your email address:</p>
<p><input style="width:140px" name="email" type="text"></p><input value="forensickb" name="uri" type="hidden"><input value="en_US" name="loc" type="hidden"><input value="Subscribe" type="submit">
<p>Delivered by <a href="http://feedburner.google.com" target="_blank">FeedBurner</a></p>
</form>Text Content
skip to main | skip to sidebar
ENSCRIPT V6 TUTORIAL IV
* EnScript v6 Tutorial I
* EnScript v6 Tutorial II
* EnScript v6 Tutorial III
* EnScript v6 Tutorial IV
* Large EnScript v6 PDF/Tutorial
THURSDAY, DECEMBER 24, 2009
FORENSIC REVIEW OF WINDOWS 7 - PART I
Over the next few weeks, I will be documenting and posting some basic
information about Windows 7 from a forensic perspective. I know many of you may
have already encountered a Windows 7 box or have been exploring it yourself.
Please feel free to post comments with whatever little forensic nuggets you have
found useful.
Initially looking at a Windows 7 image, it closely resembles a Windows Vista
installation (no surprise there). There are a few small differences and changes
which I will document with additional posts.
Starting off simple, here is a view of a clean Windows 7 install.
Take note there are two separate partitions. During a clean install where the
disk does not contain any pre-existing partitions, the Windows 7 installation
process creates two partitions, even though you specify one partition. The
installation process warns you that an additional partition may be created and
in fact a 100MB "hidden" partition is created. There is a little trickery you
can do to avoid the 100MB partition, but it’s not intuitive and it is likely a
typical user will not know how to avoid it from being created, so you are likely
to see two separate partitions, one 100MB and the main partition which by
default is the remainder of the physical disk. The second partition is important
because it will likely skew any link files you review. EnCase assigns drive
letters in chronological order as they are encountered in the partition table,
so the hidden partition gets the "C" volume letter, but really it’s a hidden
partition and does not get a letter assignment. The main partition gets a "D"
assignment, but really it is "C". The contents of any shortcut files will point
to "C", which in EnCase in "D".
If the disk has a partition scheme already defined (i.e. it has an older version
of windows or it was partitioned prior to starting the installation) then it
continues to just use the one defined partition or whatever partitions were
defined prior to starting the installation process.
A view of the typical default folders. Looks very "Vista-ish"
A view of a user's profile:
Internet History folders:
For the most part, if you have done an exam on a Vista machine, you will feel
right at home with a Windows 7 image and should have no problem finding the
common locations for artifacts.
Posted by Lance Mueller at Thursday, December 24, 2009
ShareThis
Labels: Windows 7
5 COMMENTS:
computercourse Thursday, 24 December, 2009
Formatting in previous versions was distorted - fixed now.
Sanjay Gautam Thursday, 24 December, 2009
There is a video on Windows 7 Forensics at Microsoft Law Enforcement portal,
approx 1 hr. .i guess it will be helpful too
Anonymous Thursday, 24 December, 2009
link please?
singorama Monday, 08 November, 2010
Yes. If the disk has a partition scheme already defined (i.e. it has an older
version of windows or it was partitioned prior to starting the installation)
then it continues to just use the one defined partition or whatever partitions
were defined prior to starting the installation process.
updates to windows 7 Thursday, 20 September, 2012
Hi i wanted to share some findings of my research about Windows 7 Forensics.
Full research paper:
http://www.scribd.com/doc/22907940/First-Look-at-the-Windows-7-Forensics
Post a Comment
POST A COMMENT
<< Newer Post Older Post >> Home
Subscribe to: Post Comments (Atom)
SEARCH THIS BLOG
BLOG ARCHIVE
* ► 2017 (3)
* ► August (2)
* ► February (1)
* ► 2016 (2)
* ► February (1)
* ► January (1)
* ► 2015 (8)
* ► December (1)
* ► November (1)
* ► May (4)
* ► April (2)
* ► 2014 (14)
* ► August (1)
* ► April (1)
* ► March (7)
* ► February (3)
* ► January (2)
* ► 2013 (14)
* ► December (3)
* ► October (3)
* ► September (1)
* ► May (1)
* ► April (1)
* ► March (4)
* ► February (1)
* ► 2012 (8)
* ► December (1)
* ► August (1)
* ► July (3)
* ► June (3)
* ► 2011 (16)
* ► May (2)
* ► April (1)
* ► March (4)
* ► February (4)
* ► January (5)
* ► 2010 (32)
* ► December (7)
* ► November (2)
* ► October (1)
* ► July (2)
* ► June (1)
* ► May (5)
* ► March (7)
* ► February (2)
* ► January (5)
* ▼ 2009 (40)
* ▼ December (3)
* Forensic review of Windows 7 - Part II - File system
* Forensic review of Windows 7 - Part I
* Export x Number of bytes around selected search hi...
* ► November (3)
* ► October (6)
* ► September (5)
* ► August (8)
* ► July (1)
* ► June (3)
* ► May (2)
* ► April (6)
* ► March (1)
* ► February (1)
* ► January (1)
* ► 2008 (33)
* ► November (2)
* ► October (2)
* ► September (4)
* ► June (2)
* ► May (4)
* ► April (1)
* ► March (4)
* ► February (5)
* ► January (9)
* ► 2007 (36)
* ► December (3)
* ► November (5)
* ► October (5)
* ► September (3)
* ► August (2)
* ► July (13)
* ► June (3)
* ► May (2)
LABEL CLOUD
* Anti-Forensics
* Base64
* BitLocker
* Bookmark
* CEIC2015
* Cell Phones
* Count
* CP
* CRLF
* dd
* Decode
* Domains
* Duplicates
* eBlaster
* Email
* EMLX
* Encryption
* EnScript Requests
* EnScript Tutorial
* Event Logs
* Exclusion List
* export
* Extensions
* F-Response
* File Signatures
* File System
* File Types
* Filename
* Firewall
* Foreign Language
* Forensic Practical
* FTP
* Ghost
* GREP
* Hash
* HTML
* ICAC
* Icons
* IIS
* Import
* Incident Response
* Install Date
* Internet History
* Keywords
* Kindle
* Lanman
* LEF
* Limewire
* LogFile
* LUHN
* MAC Address
* MD5
* Memory
* MFT
* Network Information
* NIST
* Norton AV
* Office Metadata
* Operating System
* OSX
* Password Bypass
* Patch
* Photos
* Redaction
* Registry
* Restore Points
* ROT13
* SANS
* Search
* Search Hits
* SearchPak
* Selected Text
* Service Pack
* SHA1
* SQL
* thumbcache
* Thumbnails
* Timestamps
* Triage
* Unallocated
* Unused Disk Space
* USB History
* UserAssist
* USNJRNL
* Video
* Virus
* Vista
* VSS
* Windows 7
* Winen
* Wireless
* XOR
* Yahoo
* Anti-Forensics (3)
* Base64 (1)
* BitLocker (3)
* Bookmark (5)
* CEIC2015 (1)
* Cell Phones (2)
* Count (2)
* CP (5)
* CRLF (1)
* dd (2)
* Decode (2)
* Domains (1)
* Duplicates (2)
* eBlaster (1)
* Email (2)
* EMLX (1)
* Encryption (1)
* EnScript Requests (1)
* EnScript Tutorial (4)
* Event Logs (1)
* Exclusion List (1)
* export (15)
* Extensions (5)
* F-Response (2)
* File Signatures (1)
* File System (2)
* File Types (1)
* Filename (1)
* Firewall (1)
* Foreign Language (1)
* Forensic Practical (4)
* FTP (1)
* Ghost (2)
* GREP (1)
* Hash (7)
* HTML (1)
* ICAC (4)
* Icons (1)
* IIS (2)
* Import (3)
* Incident Response (5)
* Install Date (1)
* Internet History (2)
* Keywords (5)
* Kindle (1)
* Lanman (1)
* LEF (1)
* Limewire (3)
* LogFile (1)
* LUHN (1)
* MAC Address (1)
* MD5 (2)
* Memory (1)
* MFT (3)
* Network Information (1)
* NIST (1)
* Norton AV (1)
* Office Metadata (2)
* Operating System (1)
* OSX (1)
* Password Bypass (1)
* Patch (1)
* Photos (1)
* Redaction (1)
* Registry (1)
* Restore Points (2)
* ROT13 (1)
* SANS (2)
* Search (3)
* Search Hits (7)
* SearchPak (1)
* Selected Text (3)
* Service Pack (1)
* SHA1 (3)
* SQL (1)
* thumbcache (1)
* Thumbnails (2)
* Timestamps (2)
* Triage (1)
* Unallocated (8)
* Unused Disk Space (1)
* USB History (3)
* UserAssist (1)
* USNJRNL (1)
* Video (1)
* Virus (2)
* Vista (6)
* VSS (1)
* Windows 7 (4)
* Winen (1)
* Wireless (1)
* XOR (1)
* Yahoo (3)
Powered By:Blogger Tutorials
Blogger Label Cloud:Label Cloud for Blogger
CONTACT
Contact
email: lance (at) forensickb.com
SUBSCRIBE
Posts
Atom
Posts
Comments
Atom
Comments
SUBSCRIBE VIA EMAIL
Enter your email address:
Delivered by FeedBurner
COMPUTER FORENSICS, MALWARE ANALYSIS & DIGITAL INVESTIGATIONS
* EnCase v8 EnScript - Check hash values for tagged files to VirusTotal
* EnCase v8 EnScript - Check executables to VirusTotal
* EnScripts Currently Offline - being moved
* EnCase v7 EnScript to parse WiFi/Network Profiles
* EnCase v7 EnScript to export files based on condition and maintain original
file path
RANDOM ARTICLES
* Search for keyword in selected file(s) and then parse till double CRLF
Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe
zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit
Messwerten zur Leistung und Sicherheit für Google freigegeben. So können
Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die
Qualität des Dienstes gewährleistet werden.Weitere InformationenOk