Thursday, December 24, 2009

Forensic review of Windows 7 - Part I

Over the next few weeks, I will be documenting and posting some basic information about Windows 7 from a forensic perspective. I know many of you may have already encountered a Windows 7 box or have been exploring it yourself. Please feel free to post comments with whatever little forensic nuggets you have found useful.

Initially looking at a Windows 7 image, it closely resembles a Windows Vista installation (no surprise there). There are a few small differences and changes which I will document with additional posts.

Starting off simple, here is a view of a clean Windows 7 install.


Take note there are two separate partitions. During a clean install where the disk does not contain any pre-existing partitions, the Windows 7 installation process creates two partitions, even though you specify one partition. The installation process warns you that an additional partition may be created and in fact a 100MB "hidden" partition is created. There is a little trickery you can do to avoid the 100MB partition, but it’s not intuitive and it is likely a typical user will not know how to avoid it from being created, so you are likely to see two separate partitions, one 100MB and the main partition which by default is the remainder of the physical disk. The second partition is important because it will likely skew any link files you review. EnCase assigns drive letters in chronological order as they are encountered in the partition table, so the hidden partition gets the "C" volume letter, but really it’s a hidden partition and does not get a letter assignment. The main partition gets a "D" assignment, but really it is "C". The contents of any shortcut files will point to "C", which in EnCase in "D".

If the disk has a partition scheme already defined (i.e. it has an older version of windows or it was partitioned prior to starting the installation) then it continues to just use the one defined partition or whatever partitions were defined prior to starting the installation process.

A view of the typical default folders. Looks very "Vista-ish"


A view of a user's profile:



Internet History folders:

For the most part, if you have done an exam on a Vista machine, you will feel right at home with a Windows 7 image and should have no problem finding the common locations for artifacts.

Posted by Lance Mueller at Thursday, December 24, 2009
ShareThis

Labels:

5 comments:

computercourse Thursday, 24 December, 2009  

Formatting in previous versions was distorted - fixed now.

Sanjay Gautam Thursday, 24 December, 2009  

There is a video on Windows 7 Forensics at Microsoft Law Enforcement portal, approx 1 hr. .i guess it will be helpful too

Anonymous Thursday, 24 December, 2009  

link please?

singorama Monday, 08 November, 2010  

Yes. If the disk has a partition scheme already defined (i.e. it has an older version of windows or it was partitioned prior to starting the installation) then it continues to just use the one defined partition or whatever partitions were defined prior to starting the installation process.

updates to windows 7 Thursday, 20 September, 2012  

Hi i wanted to share some findings of my research about Windows 7 Forensics.

Full research paper:
http://www.scribd.com/doc/22907940/First-Look-at-the-Windows-7-Forensics

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles