Skip to content

Windows

Windows is a widely-spread operating system from Microsoft.

There are 2 main branches of Windows:

  • the DOS-branch: i.e. Windows 95, 98, ME
  • the NT-branch: i.e. Windows NT 4, XP, Vista

Features

Introduced in Windows NT

Introduced in Windows 2000

Introduced in Windows XP

SP2

  • Windows Firewall

Introduced in Windows Server 2003

Introduced in Windows Vista

Introduced in Windows Server 2008

Introduced in Windows 7

Introduced in Windows 8

Introduced in Windows Server 2012

Introduced in Windows 10

  • Cortana
  • Microsoft Edge Web Browser
  • Notification Center
  • WofCompressedData, WofCompressed streams

Forensics

Partition layout

Default partition layout, first partition starts:

  • at sector 63 in Windows 2000, XP, 2003
  • at sector 2048 in Windows Vista, 2008, 7

Filesystems

Common paths

Windows XP (and earlier) Windows Vista (and later)
\Documents and Settings \Users
\Documents and Settings\%USERNAME%\My Documents \Users\%USERNAME%\Documents
\Documents and Settings\%USERNAME%\My Documents\My Music \Users\%USERNAME%\Music
\Documents and Settings\%USERNAME%\My Documents\My Pictures \Users\%USERNAME%\Pictures
\Documents and Settings\%USERNAME%\My Documents\My Videos \Users\%USERNAME%\Videos
\Documents and Settings\%USERNAME%\Application Data \Users\%USERNAME%\AppData\Roaming
\Documents and Settings\%USERNAME%\Cookies \Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies
\Documents and Settings\%USERNAME%\Local Settings \Users\%USERNAME%\AppData\Local
\Documents and Settings\%USERNAME%\NetHood \Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Network Shortcuts
\Documents and Settings\%USERNAME%\PrintHood \Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
\Documents and Settings\%USERNAME%\Recent \Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent
\Documents and Settings\%USERNAME%\SendTo \Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\SendTo
\Documents and Settings\%USERNAME%\Start Menu \Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu
\Documents and Settings\%USERNAME%\Templates \Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Templates
\Documents and Settings\%USERNAME%\Local Settings\Application Data \Users\%USERNAME%\AppData\Local
\Documents and Settings\%USERNAME%\Local Settings\History \Users\%USERNAME%\AppData\Local\Microsoft\Windows\History
\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files \Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files
\Documents and Settings\All Users \ProgramData
\Documents and Settings\All Users\Application Data \ProgramData
\Documents and Settings\All Users\Desktop \Users\Public\Desktop
\Documents and Settings\All Users\Documents \Users\Public\Documents
\Documents and Settings\All Users\Favorites \Users\Public\Favorites
\Documents and Settings\All Users\Start Menu \ProgramData\Microsoft\Windows\Start Menu
\Documents and Settings\All Users\Templates \ProgramData\Microsoft\Windows\Templates
\Documents and Settings\Default User \Users\Default

Hosts information

C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\drivers\etc\lmhosts.sam

Recycle Bin

The Recycle Bin contains "Recycled" files. Moving files and directories to the Recycle Bin is also referred to as soft deletion, since the files are not removed from the file system. Files stored in the Recycle Bin can be parsed using Rifiuti2

RECYCLER

The Recycler format is used by Windows 2000, XP.

Per user Recycle Bin folder in the form:

C:\Recycler\%SID%\

Which contains:

  • INFO2 file; "Recycled" files metadata

\$RECYCLE.BIN

The \$Recycle.Bin is used as of Windows Vista.

Per user Recycle Bin folder in the form:

C:\$Recycle.Bin\%SID%\

Which contains:

  • \$I files; "Recycled" file metadata
  • \$R files; the original data

Registry

The Windows Registry is a database of keys and values that provides a wealth of information to forensic investigators.

Thumbs.db Files

Thumbs.db files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the investigator.

See also: Windows thumbcache.

Browser Cache

Browser History

The Web Browser History files can contain significant information. The default web browser that comes with Windows is Microsoft Internet Explorer but other common browsers on Windows are Apple Safari, Google Chrome, Mozilla Firefox and Opera.

See Windows Desktop Search

Setup API Logs

Windows Vista introduced several new Setup API Log files.

Also see 1.

Scheduled Tasks

In Windows the Scheduled Tasks can be found in:

C:\Windows\Tasks

This directory contains .job files which are in the Windows Job File Format.

In later versions of Windows (at least Windows 7) XML-based equivalents can be found in the following locations:

C:\Windows\System32\Tasks
C:\Windows\SysWow64\Tasks

Sleep/Hibernation

After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.

Users

Windows stores a users Security identifiers (SIDs) under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

The %SID%\ProfileImagePath value should also contain the username.

Crash and minidumps

C:\Windows\Minidump

Windows Error Reporting (WER)

As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:

C:\ProgramData\Microsoft\Windows\WER\

As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:

C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\

Corresponding registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

Microsoft Office Autosave

Recovery files automatically created by Microsoft Office applications.

References:

User Access Logging (UAL)

UAL is a local data aggregation feature (enabled by default) on Windows Servers 2012 and above, recording client usage by role and product on each system providing the resource. It's typically between 2 and 4 extensible storage engine (ESE) databases ("Current.mdb", "SystemIdentity.mdb, and ".mdb"). The files location: '%%environ_systemroot%%\System32\LogFiles\SUM\*.mdb'

References:

CCM_RecentlyUsedApps

"SCCM has the ability to collect inventory data from many sources, and tracking executables launching is one. This feature isn’t turned on by default to have the SCCM server collect this data; however, the logging occurs on the endpoints regardless of the settings that are configured on the server." [1]

"Software metering history can record the path, name, size, associated user name, last used time, launch count, and PE metadata of executed files. For forensic investigators, this execution history can be a goldmine for identifying both the presence of deleted files and confirming that a file executed on a system. This artifact will likely only exist on enterprise systems." [2]

Windows stores software metering execution logs as CCM_RecentlyUsedApps records in the CIM repository, and the definition is provided in the snippet below [3].

#pragma namespace("\\\\.\\root\\ccm")
instance of __Namespace
{
 Name = "SoftwareMeteringAgent" ;
};
#pragma namespace("\\\\.\\root\\ccm\\SoftwareMeteringAgent")
class CCM_RecentlyUsedApps
{
   [Key]
   string FolderPath;

   [Key]
   string ExplorerFileName;

   [Key]
   string LastUserName;

   string OriginalFileName;
   string FileVersion;
   uint32 FileSize;
   string ProductName;
   string ProductVersion;
   string CompanyName;
   uint32 ProductLanguage;
   string FileDescription;
   uint32 LaunchCount;
   datetime LastUsedTime;

   string ProductCode;
   string AdditionalProductCodes;
   string msiDisplayName;
   string msiPublisher;
   string msiVersion;
   string SoftwarePropertiesHash;
   string FilePropertiesHash;
};

The entries can be extracted on a live system using the following details [4]:

  • Query: Select * from CCM_RecentlyUsedApps
  • Namespace: root\CCM\SoftwareMeteringAgent

References:

  1. https://www.4n6ir.com/posts/2017/secret-archives-of-execution-evidence-ccm_recentlyusedapps/
  2. https://www.trellix.com/en-us/about/newsroom/stories/research.html
  3. https://social.technet.microsoft.com/Forums/en-US/fa8fd68e-588b-4cdf-8d6d-8b8c8fe72719/ccmrecentlyusedapps-wmi-class-empty-on-several-thousand-pcs
  4. https://github.com/davehull/Kansa/blob/261bd40ac2ae547855313f777273184a759f01d2/Modules/Process/Get-WMIRecentApps.ps1

Cryptnet URL Cache

A set of 2 folders (MetaData and Content) that contain a Windows cache of files downloaded from the internet.

Helpful when investigating the use of "Living of the Land" tools that allow attackers to download arbitrary files from the internet, such as "certutil.exe".

The locations on disk:

%SYSTEMROOT%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\
%SYSTEMROOT%\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
%SYSTEMROOT%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\
%SYSTEMROOT%\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\
C:\Users\%USERNAME%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\
C:\Users\%USERNAME%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\

References:

Startup info

StartupInfo XML files include the user account's Security Identifier (SID) in the name and there could be up to 5 per user account. They contain a list of processes that were executed within the first 90 seconds from the time the user logged in. The info includes start time, the full command line and the parent process info, among other things.

The location on disk:

%SYSTEMROOT%\System32\WDI\LogFiles\StartupInfo\*.xml

References:

Advanced Format (4KB Sector) Hard Drives

Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see Advanced Format.

%SystemRoot%

The actual value of %SystemRoot% is stored in the following registry value:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Value: SystemRoot

See Also

Client/Server Runtime Subsystem (CSRSS)

Recycle Bin

Malware/Rootkits

Tracking removable media

Under the hood

Windows File Protection (WFP)

MSI

Side-by-side (WinSxS)

Crash dumps

Kerberos

Reliability Monitoring

RPC

User Account Control (UAC)

Windows Event Logs

Windows Scripting Host

USB

Windows Error Reporting (WER)

Windows Event Viewer

Windows Firewall

Windows 32-bit on Windows 64-bit (WoW64)

Windows XP

Windows Vault

IPC

AMCache.hve

SysCache.hve

RDP Bitmap Cache