First Look at the Windows 7 Forensics

(1)

Piotrek Smulikowski

01/09/2009 University of Strathclyde

First Look at the

Windows 7 Forensics

Forensic implications of the new Windows 7

This dissertation was submitted in part fulfilment of requirements for the degree of MSc Forensic Informatics

(2)

First Look at the Windows 7 Forensics Piotrek Smulikowski

Abstract

Microsoft is ready for shipment of its new mainstream Operating System - Windows 7. From 22nd_{of October most of new computers will be sold with the new system. It is the}

intention of this paper to prepare computer forensic professionals for the challenges it can potentially bring and what impact it is likely to have on forensic examination.

Through the comprehensive research and the detailed analysis of the introduced features, it was possible to identify the prospective problems, that examiners can encounter, and document them. However, also new sources of evidence were discovered, replacing old and discarded sources.

This paper provides a first look at the Windows 7 from the computer forensic perspective and is designed to help digital investigators in better understanding but also more effective forensic analysis of the system.

(3)

First Look at the Windows 7 Forensics Piotrek Smulikowski 6.1.3. BitLocker Identification... 29 6.1.4. BitLocker Acquisition ... 31 6.2. BitLocker in Windows 7... 32 6.2.1. Introduction ... 32 6.2.2. BitLocker To Go ... 32 6.2.3. BitLocker To Go Identification... 34 6.2.4. BitLocker To Go Acquisition ... 37 6.2.5. BitLocker changes... 38

6.3. Windows 7 BitLocker Conclusions ... 39

7. Registry Analysis... 41

7.1. Introduction... 41

7.2. Registry locations... 42

7.2.1. Time Information... 42

7.2.2. Most Recently Used... 43

7.2.3. UserAsisst ... 45

7.2.4. Autoruns... 47

7.2.5. Network information... 47

7.2.6. Mounted Devices... 48

7.2.7. USB Device Information ... 49

7.2.8. Internet Explorer ... 50

8. Miscellaneous new Features and Changes... 51

8.1. Location and Sensors API... 51

8.2. exFAT / FAT64 ... 53

8.2.1. exFAT Identification... 53

8.3. Partition Table... 54

8.4. XP mode... 56

8.5. Biometrics and Fingerprint support ...Error! Bookmark not defined. 8.6. Uninstall Process ...Error! Bookmark not defined. 8.7. Mix... 57 8.8. UAC...Error! Bookmark not defined.

(5)

9. Methodology ... 58

9.1. Hardware and Software used ... 60

10. Conclusions ... 62

10.1. Research Achievements... 62

10.2. Actual Constraints... 64

10.3. Reflections on Research...Error! Bookmark not defined. 10.4. Final Conclusions ... 64

10.5. Future Work... 65

References: ...Error! Bookmark not defined. Bibliography... 67

APPENDIX A – Windows 7 Editions Comparison Chart... 74

List of Tables Table 1 Windows 7 Editions comparison (Protalinski, 2009) ... 9

Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (Zeigler, 2008). ... 11

Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help ... 12

Table 4. File names and their respective application that store Jump List data ... 26

Table 5. Required Values for BitLocker stored in boot sector of an encrypted volume (Hunter, 2006)... 30

Table 6. Short naming convention for root hives ... 41

Table 7. Registry paths and corresponding files... 42

Table 8. Differences and similarities in registry key locations between Windows XP and Windows Vista. ... 45

Table 9. USB Information gathering process. Adapted from (SANS Forensics Blog, 2009)... 50

Table 10. Hardware and Software Specification of used PCs ... 60

(6)

List of Figures

Figure 1. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited

URLs are underlined in Blue and Referrer URLs are highlighted in yellow... 13 Figure 2. Contents of SuggestedSites.dat file with visible header underlined in red

and IE Browser version highlighted in yellow. ... 14 Figure 3. Contents of the Active folder. In this example normal and InPrivate

modes are used and have multiple tabs open. Note: this screenshot comes

from Windows XP. ... 15 Figure 4. Contents of an example tab file. URL is highlighted in grey and page

name is in yellow... 16 Figure 5. index.dat file parsed with Pasco and imported by Excel ... 18 Figure 6. XML code in library-ms file. The included folder path is highlighted in

grey... 20 Figure 7. Contents of Search Connector configuration file. The domain search

provider is highlighted in grey ... 21 Figure 8. Start Menu properties window, allows user to disable the Jump List and

customize contents of the start menu... 24 Figure 9. Contents of the Jump List recent items file viewed in hex editor. Path to

recent 'cos.png' file is highlighted in grey. This particular file, stores recent

items list for Microsoft Paint. ... 25 Figure 10. BitLocker Encrypted volume header of a boot sector in Windows Vista

viewed in Hex editor (Hargreaves & Chivers, 2007) ... 31 Figure 11. Group Policy allow forcing users to encrypt USB sticks, (Funk, 2008) ... 33 Figure 12. BitLocker To Go Reader window allows viewing files and exporting to

local machine. Screenshot taken from Windows Vista ... 34 Figure 13. BitLocker To Go encrypted portable drive... 34

(7)

Figure 14. Contents of the BitLocker To Go encrypted portable drive.

BitLockerToGo.exe file is clearly visible, Screen shot taken from

Windows Vista. ... 35

Figure 15. FAT32 volume encrypted with BitLocker To Go. MSWIN4.1 OEM Nam is highlighted in yellow and FAT32 file system highlighted in grey ... 35

Figure 16. BitLocker signature found on BitLocker To Go encrypted volume -highlighted in yellow. Additionally original Computer Name, Drive Letter and Date were also found - highlighted in grey. ... 36

Figure 17. Header of NTFS drive encrypted with BitLocker To Go viewed in Hex editor. The BitLocker singature -FVE-FS- is at 0x03 offset - highlighted in yellow. Interestingly it is marked as FAT32 file system highlighted in grey... 36

Figure 18. BitLocker signature found on encrypted NTFS volume - highlighted in yellow. Computer name, Drive letter and Date were also found -highlighted in grey... 37

Figure 19. Image shows binary data for the example UserAssist value. Underlined in red is the obfuscated program path, in green is the decoded path. Highlighted in yellow is the counter number and in blue is the time stamp in Hex... 46

Figure 20. Output from Date/Time converting application DCode. Highlighted in yellow is the time stamp from above example (see previous figure)... 47

Figure 21. exFAT partition signature 'EXFAT'... 53

Figure 22. fdisk recognizes exFAT as NTFS with partition id=7... 54

Figure 23. Output from mmls tool, exFAT is recognised as NTFS... 54

Figure 24. fdisk recognized two partition as NTFS... 55

Figure 25. mmls tool displays the details and locations of the two partitions. ... 55

Figure 26. The output from the fsstat tool with details of the System Reserved (left) and Windows 7 partitions (right). ... 56

(8)

1. Introduction

Microsoft Windows is by far the most popular Operating System among typical computer users, as a result it has a great impact on computer forensics. Therefore there is no doubt that the introduction of the Windows 7 will have its footprint on forensics. The big question is what impact it is going to have, whether the existing methods will become obsolete or maybe there will be no forensically significant changes at all. Early opinions, suggest that digital investigators will not be forced to change their careers just yet. However

information regarding the forensic issues of Windows 7 is very limited, there is no single detailed resource on the topic. This paper attempts to fill in the gap. It is intended that the research will provide forensic examiners with the starting point, first look at the issues surrounding the new Windows analysis. Through the in-depth discussion and examination of some of the relevant features, the study produced certain interesting findings.

The paper is primarily aimed at the forensic examiners to aid them in the analysis of the new Windows 7 based computer. It is hoped that after reading the research, forensic investigators will gain more confidence when faced with the new system. Additionally through the analysis of the new sources of evidence, examiners will be able to produce stronger evidence. Various functionalities include features that work in examiner’s favour or against it. The challenges that the Windows 7 will bring could potentially have an impact of the forensic analysis. This research attempted to analyse and document them to raise examiners awareness.

However, this is the first detailed analysis of the Windows 7 seen from the forensic point of view, while it may be regarded as comprehensive it is by no means the complete exhausted reference. It will take time and lots more research to achieve this and this paper tries to form a basis but also encourage for further studies on the topic.

1.1.Rationale

The introduction of new software can bring a wide range of changes that potentially affect compatibility. This is especially true in the case of an Operating System which provides a basic functionality and platform for other software; it is a system that coordinates all computer actions. Since other applications rely on it, the way that they work is heavily dependent on the OS. Software for Apple Mac OS will not work on MS Windows Vista because it handles guest applications and data very differently. This is to be expected when it comes to different competitor’s platforms, however it can also be the case even on the same platform. For instance an application written for a Windows XP may or may not work under the Vista environment. Fortunately, over time, software developers modify their products so they work under the new system. The incompatibility issues may also affect

(9)

Windows 7, however very few have been reported so far. It is important to remember that the problem can affect forensics both ways: Windows 7 as (a) a target PC or (b) analysis platform. While studying software alternatives, the research may reveal such problems with tested collection of applications.

The research aims to discover the differences in the forensic analysis process between the new system and previous versions of Windows, namely Vista and XP. Windows XP was used as the main consumer OS for nearly 6 years, whereas the Vista will be replaced by the Windows 7 after little over 2.5 years. Given this much shorter development time it is not expected large amount of new features. Speculation suggests that this is refined version of the Vista, and some even say that it is what Vista was meant to be. Microsoft has dropped the introduction of the new Windows File System which would have had a very significant impact on forensic analysis. It is also possible that very few changes actually affect the process but this is the reason why this research is important; to find any major differences, if any, to the forensic analysis procedures.

Certainly, the time it will take for Windows 7 to be adopted by the majority of the PC market will be substantial and, similarly in the computer crime world, it will slowly gain popularity. Although in current financial climate forecasts about computer sales vary but the Windows market share should be preserved. This means that when Windows 7 is released, 93% of new home computers sold, will be with this Operating System (NET APPLICATIONS, 2009). Therefore it is going to become the main OS used by home users and it is safe to assume that criminals will start using the new system as well, and the sooner forensic specialists become familiar with the system the better.

The main beneficiaries of this study are thought to be forensic investigators and researchers. Analysts will learn how important to the analysis process the changes are, which techniques still apply, what could be a new source of forensic evidence. It will help to them to choose appropriate techniques in order to recover as much evidence as possible from the new system.

Results from the study could form a solid basis for further forensic research on the more specific issues of the Windows 7. The aim is to provide researchers with an overview of the new features and overall changes to the system architecture and how important they are to the forensic analysis process. If the research finds substantial differences that require further, more in depth analysis they could become a basis for more detailed and focused study. However, if findings from the research state that there are no changes to the forensic analysis procedure, it could still be considered as a successful study since there is no other published research, at least at the time of writing, which tries to examine the new system. Therefore it might be beneficial to the computer forensic community to establish that as a

(10)

fact, if this is the case. Hence, regardless of the findings of the research, it can still be valuable paper in a forensic field, provided of course that the research has been properly executed.

Literature available on the topic of Windows 7 and forensics is very limited and it is believed that this paper would fill this particular gap and possibly encourage forensic community to undertake further work in this field.

Last but not least from my personal point of view I hope to learn more about the forensic analysis of Windows based computers. During the course of my studies I got to know many techniques applicable for the Microsoft system but I realise that further development of my practical and theoretical knowledge is required to become good and effective investigator. I believe that extensive research of the platform can give me ‘an edge’ when applying for employment after graduation. This is why I treat this research very seriously and hope that it could open doors for me upon successful completion of the project.

1.2.Deliverables

The following quote comes from the research proposal and discusses the deliverables: “When the research will be finished the following deliverables are expected:

 Review of the changes that have an impact on the forensic analysis.  Comparison to the previous Windows systems analysis process.  Identification of the new sources of evidence if such exists.  Review and validation of the old, known evidence sources.  Evaluation of the tools with regard to the new system.

 Draft of the forensic analysis procedure of the Windows 7. (not a key requirement)“ The research aims to deliver few different objectives, all oriented around the forensic analysis of the Windows 7. First being a review of the changes and new features that could potentially affect the examination. It is partially theoretical study of new features in order to highlight the forensically significant ones but also it includes the practical approach where features are examined on the actual PC running Windows 7.

1.3.Project constraints

The research is focused around Windows 7 which is not yet a finished product. This

(11)

However it also introduces the risk that the final product will vary substantially from the version examined. As a result it could potentially void results from the research. However, the version examined (RC) is thought to be very similar to the final version with only minor cosmetic changes rather than changes in core functionality and features so this should not affect the results.

Additionally, in order to improve the relevance of the research it would be desirable to wait until the final version is publically available. However, due to the fact that deadline for the research is nearly two months before official release it is infeasible to do so.

Due to the fact that there is very little information on the topic it is difficult to find any new sources of evidence. The Operating System is very complicated in its nature therefore it is nearly impossible to identify all changes by manual exploration or uninformed search. Structures like Windows Registry are incredibly complex and it would be impractical to crawl through all registry keys and check for any evidence. This problem is addressed by employing informed search which limits data set to the most likely candidates. For

instance, rather than analyzing all new features only those that could potentially be storing any evidence would be analyzed, thus maintaining a balance between accurate results and effective use of time. In addition, attempts will be made to contact experts in Windows forensics, including Microsoft staff.

Another constraint that may have an impact on one of the deliverables is the availability of forensic software. Forensic software packages like, for example, EnCase tend to be very expensive. Moreover many manufacturers do not publish evaluation versions, and while this might stop ‘warez’ community from reverse engineering or devising anti-forensic techniques it also makes it very difficult to accumulate a collection of software to evaluate its behaviour on a new version of the Operating System. While majority of investigators work on integrated forensic packages like EnCase, FTK or X-Ways Forensics there are also free alternatives. Fortunately, selections of tools from a wide range of freeware and open source software can be easily assessed.

As with many projects, the time limit is a crucial constraint that effectively shapes the whole research. Therefore effective time management is highly important in order to bring research to a successful conclusion. Regular meetings with supervisor ought to help keep progress on track.

1.4. This Document

This paper was written as a dissertation for MSc Forensic Informatics course at the

(12)

As requested in the departmental guidelines the font size is 12. However, the 1.15 line spacing was used in order to reduce paper wastage, which was agreed with the supervisor. References are submitted in Harvard – Leeds style, following patterns outlined in

Postgraduate Handbook. Special plug-in for Microsoft Office Word 2007 is used in order to keep consistency of referencing (CODEPLEX, MICROSOFT, 2009).

(13)

2. Background Research

At the time of writing the research Windows 7 has not yet been released to the public. As mentioned before with a release of any new version of Windows there is a lot of talk around it. Windows 7 has already made headlines but they mostly focus on the usability of the system, its performance, compatibility or pricing. Many Information Technology web portals and magazines have published a wide variety of articles and tutorials regarding the new features included in Windows 7. One such example is the article from Ars Technica about its Graphical User Interface (BRIGHT, P, 2008). In addition many independent websites are rising that are exclusively dedicated to the new Windows such as windows7news.com.

Microsoft is actively working on expanding its knowledge base available through Microsoft TechNet Library website (MICROSOFT), where IT professionals can find useful resources about Microsoft products. This portal contains, among others, articles on BitLocker, AppLocker or Security Enhancements of Windows 7. This knowledge base is oriented mainly towards developers or security specialists.

There is, however, very little information available on the new OS from the forensic point of view. All of the existing sources are limited to individual posts on forensic community forums or blogs. No articles are published on the subject and the gap has not been filled by Microsoft. According to an anonymous source, the Redmond based company delivers closed seminars for Law Enforcement agencies, which are not disclosed to the public. Some of these materials were made available, with permission, for the purpose of this research. One of the most popular forums with a strong forensic community is forensicfocus.com. So far there have been only few discussions involving the new Windows. For instance, user oasol reported the first case based on Windows 7 (OASOL, 2009). Whereas user jenskr reported that some of the major forensic packages are compatible with 32 bit version of Windows 7 (JENSKR, 2009).In order to learn more details about the new OS in context of forensics a forum thread was created and although it had large number of the views very little response was noted. User MMachor reported that the 7 “is really from a forensic aspect very similar to Vista” and suggested that Recycle Bin, Prefetch and some other areas examined by him have not changed (MMAHOR, 2009) but he fails to go in to greater detail.

The blog run by Harlan Carvey (user keydet89), the author of many forensic publications including Windows Forensic Analysis book, provides details of certain aspects of Windows 7 forensics (CARVEY, Harlan, 2009). He suggests that usability features like Jump List are “going to be a gold mine for an analyst”. This view is shared by other testers too; they believe that it can provide information similar to Most Recently Used registry keys. Carvey

(14)

also confirmed compatibility of his own tool RegRipper (CARVEY, Harlan and Shavers, Brett, 2009) designed to extract forensic data from registry hives, and upon loading registry keys from the Windows 7 he was able to view evidence data as expected. Due to the tool’s component build some plug-ins responded better than others to the changes in new system. Analysis of unsuccessful extractions of data can help to determine differences between new OS and its predecessors. Carvey also announced, shortly after presentation of his second edition of the book, that the third edition would include forensic analysis of the new Microsoft OS incarnation.

An article from Didier Stevens’ blog reported that UserAssist key in registry, which holds shortcuts to most frequently used applications displayed in start menu in Windows, is obscured with Vigenère cipher unlike ROT-13 in previous versions (STEVENS, Didier, 2009). It was first found on Beta version of Windows 7, however it was then reverted back to the ROT-13 in RC version. Former Microsoft developer, Steve Riley claims that it was used by their team in order to more easily identify changes after a system upgrade and was only introduced for development purposes and therefore it was not necessary to be carried forward to final version. Later research showed that the cipher was indeed changed back to ROT-13 in the RC version.

Although, as shown above, some information with regard to forensics and Windows Seven is available it is still very sparse and incomplete; there is obvious lack of one integrated source of information that could form an early reference for examiners. Blogs can be very knowledgeable source however it is not easy to find all the information available if it is spread over many different sites.

Because of the lack of information on Windows 7, reference sources about Vista were analysed in order to help with verifying new features in the updated system. These can help to make ‘informed’ analysis of the new system. If some features were newly

introduced in the previous system they are likely to be changed or improved upon and this could potentially create new sources of evidence.

After Windows Vista was released back in January 2007 many examiners wondered how it was going to affect the forensic analysis process. It was not long before the first articles were published. One of the first was the “Notes on Vista Forensics” part One and Two by Jamie Morris founder of Forensic Focus (MORRIS, Jamie, 2007) posted a little over a month after release. It provided “ a high level look at what we know now about those changes in Vista which seem likely to have most impact on computer forensic investigators” (MORRIS, Jamie, 2007).

(15)

Lecturers from Cranfield University published a paper called: “Potential Impacts of

Windows Vista on Digital Investigations”, that follows a similar approach but that goes into greater detail (HARGREAVES, C and Chivers, H, 2007). It analyzes new features and system changes from the forensic perspective.

Another interesting paper was presented at the Computer and Enterprise Investigation Conference 2007 (CEIC)(MUELLER, Lance, 2007) by Lance Mueller from Guidance Software (GUIDANCE SOFTWARE INC., 2009), the company that created EnCase. The author

undertook a detailed examination of changes introduced in Vista like e.g. NTFS file system update.

1. Windows 7 Development versions

When Microsoft released Vista in January 2007, Windows XP had been on the market since October 2001, which means that its lifespan was over a five and half years. The new system did not have a good start with numerous ‘Vista Issues’ including mainly the performance and compatibility problems. This has resulted in the relatively low popularity of the Vista. Microsoft decided to shorten the life of Vista to just two and a half years in favour of the new version. Obviously, Vista is still going to be supported by Microsoft; however, the main development is dedicated to the Windows 7. Close to the date of finishing the Windows 7, Microsoft released Service Pack 2 for Vista, to help to bring it up to date especially in the light of Windows 7. The newest OS has been well received by testers and is expected to have much better start based on early pre-order sales figures. According to the BBC: “Amazon said that sales of Windows 7 in the first eight hours it was available outstripped those of Windows Vista's entire 17 week pre-order period” (BBC NEWS UK, 2009).

Microsoft released the first build of the Windows 7 to the public on the 9th_{of January 2009.}

Build 7000 was a Beta release signifying an early development stage, however it provided the first insights into the feature sets available in the final version. Some of the big changes were discarded, like the new file system replacement of the NTFS, which would have an enormous affect on forensics in general, and file recovery in particular. It became a very popular download, and many IT savvy people tried it, including some forensic examiners like Harlan Carvey - author of the previously referenced blog posts. The reception it

received was much better in comparison to Vista. However, it was a popular belief that the new system did not carry many changes; that it was just an improved Vista. This view was reinforced when Steve Ballmer, Microsoft’s CEO, said: “Windows 7 will be more like Windows Vista, but a lot better!” (PARRISH, Kevin, 2008). On 5th_{of May 2009 Microsoft}

made Release Candidate (RC) public. Version 7100 addressed feedback from testers and GUI improvements but feature changes were minor (MSDN BLOG, 2009).

(16)

Since the first announcement about Windows 7, Microsoft has moved the expected release date numerous times and some has suggested it might be as late as mid 2010. However, as development versions were progressing, it seemed as if the final date would be much earlier. On 2nd_{of June 2009, Brandon LeBlanc wrote on Windows Blog and confirmed that}

the General Availability date is 22nd_{of October 2009 (LEBLANC, Brandon, 2009). Although,}

developers and OEM Manufacturers were meant to be getting the final version sooner. Few weeks later on 24.07.2009 Windows 7 was finally signed off by internal testing group which meant that it met quality control and reached Release To Manufacturing (RTM) status (LEBLANC, Brandon, 2009). At this point build 7600 was released to OEM Manufacturers for deployment purposes.

2. Windows 7 final editions

As with Vista, Windows 7 comes in wide variety of editions. However the line up has changed slightly. With 6 different versions available varying feature sets. Emil Protalinski from Ars Technica (PROTALINSKI, Emil, 2009) compared them:

 Windows 7 Starter (worldwide via OEM only): up to three concurrent applications, ability to join a Home Group, improved taskbar and JumpLists

 Windows 7 Home Basic (emerging markets): unlimited applications, live thumbnail previews and enhanced visual experience, advanced networking support

 Windows 7 Home Premium (worldwide): Aero Glass and advanced windows navigation, improved media format support, enhancements to Windows Media Center and media streaming, including Play To, multi-touch and improved handwriting recognition

 Windows 7 Professional (worldwide): ability to join a managed network with Domain Join, data protection with advanced network backup and Encrypting File System, and print to the right printer at home or work with Location Aware Printing

 Windows 7 Ultimate (worldwide): BitLocker data protection on internal and external drives, DirectAccess for seamless connectivity to corporate networks based on Windows Server 2008 R2, BranchCache support when on networks based on Windows Server 2008 R2, and lock unauthorized software from running with AppLocker

 Windows 7 Enterprise (volume licenses): same as Ultimate, includes the following improvements: DirectAccess, BranchCache, Search, BitLocker, AppLocker, Virtualization Enhancements,

Management, as well as Compatibility and Deployment.

(17)

To sum up: Starter is designed for low spec hardware – Netbooks, with heavily limited features. Home Basic edition is only for emerging markets whereas Home Premium, Professional and Ultimate are mainstream editions, available for retail sale. Enterprise is available only via Volume Licenses. Upgrading will only be available to mainstream editions. Analogically to Vista one installation disk can support all editions, the type of licence is determined on a basis of Product Key.

Due to the European Commission decision that Microsoft had violated European competition law by offering Internet Explorer (IE) browser as a default browser, the company decided to remove IE from the European version of Windows 7 (CLARKE, Gavin, 2009). As a result the special version called ‘Windows 7 E’ would not allow upgrades and so making the cost of the new Windows higher as only the full version would be sold. The issue was eventually resolved by introducing the ‘Web Browser Ballot’ screen allowing for choice of alternative browser (FIVEASH, Kelly, 2009).

(18)

3. Internet Explorer 8

Internet Explorer 8 (IE8) is the newest Web Browser developed by Microsoft as the default browser for Windows. It is bundled in Windows 7 but it is also offered as a recommended update for an IE7 on Vista or XP. Therefore some investigators may have already

experienced examination of the new version. However it is important to note that there are substantial differences between releases for different platforms, XP in particular, due to improvements in privilege management on newer platforms. The newest release claims significant enhancements in security such as Click-Jacking prevention or Cross Site Scripting filters.

3.1. InPrivate – Stealth Browsing

Microsoft followed other browser makers like for instance Safari and introduced stealth mode in the newest version. The InPrivate feature allows browsing the internet without leaving traces on a local machine. Certainly it has an impact onto forensic analysis of the new browser as an investigator has very little, if any, chances of reconstructing suspect’s online activity. By default when user starts a browser, the standard mode is launched and user activity is recorded in a normal manner, it is when user enables the InPrivate

browsing (Safety > InPrivate Browsing) that the stealth mode is launched in another

window. Behaviour of the browser changes only for the InPrivate session, thus if user has had standard window open, its history would be stored as normal, whereas the activity within the stealth mode window would be discarded. According to IE Microsoft Blog (ZEIGLER, Andy, 2008) InPrivate Browsing changes the behaviour in the following way:

 New cookies are not stored

o All new cookies become “session” cookies o Existing cookies can still be read

o The new DOM storage feature behaves the same way  New history entries will not be recorded

 New temporary Internet files will be deleted after the Private Browsing window is closed  Form data is not stored

 Passwords are not stored

 Addresses typed into the address bar are not stored  Queries entered into the search box are not stored  Visited links will not be stored

Table 2. Behaviour of the Internet Explorer 8 InPrivate mode (ZEIGLER, Andy, 2008).

Analysis showed that the wording of the above list (Table 2) is crucial because it means that only new history entries are not recorded. However, all other attributes such as Cache are recorded but deleted when the InPrivate windows is closed. It opens a possibility for

(19)

those files to be recovered by specialist data recovery tools. Alternative explanation (Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer HelpTable 3) of the browser behaviour in the InPrivate mode comes from the Internet Explorer Help.

Information How it is affected by InPrivate Browsing

Cookies Kept in memory so pages work correctly, but cleared when you close the browser.

Temporary Internet

files Stored on disk so pages work correctly, but deleted when you close the browser. Webpage history This information is not stored.

Form data and

passwords This information is not stored.

Anti-phishing cache Temporary information is encrypted and stored so pages work correctly.

Address bar and search AutoComplete

This information is not stored. Automatic Crash

Restore (ACR) ACR can restore when a tab crashes in a session, but if the whole window crashes, data is deleted and the window cannot be restored.

Document Object

Model (DOM) storage The DOM storage is a kind of "super cookie" web developers can use to retain information. Like regular cookies, they are not kept after the window is closed.

Table 3. Data stored during InPrivate session. Source: Windows Internet Explorer Help

When privacy mode was first announced in 2008, it soon was unfavourably known as a ‘porn mode’ as it was believed to cover all browsing tracks. It produces mixed feelings in system administrators’ community since it could create opportunity for employees to abuse online access. Some argued that it should be disabled (AARON, 2009), what can be done setting up a Group Policy.

According to Microsoft the InPrivate functionality is designed to stop casual computer users from “gaining access to the browsing history”. The IE team suggest that it should be possible to retrieve the online activity: “The feature isn’t designed to protect a user from security experts or forensic researchers” (SHARP, John, 2008).

Shortly after a Beta version has been released it was examined by the investigators from the FoxIT forensic firm and it was found that it was possible to determine visited websites (SHARP, John, 2008). Christian Prickaerts claims that the feature is “mainly cosmetic” and that: “For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited” (SHARP, John, 2008). It is important to emphasise that tests were

undertaken on the Beta version and unfortunately the method used by researchers was not disclosed.

(20)

First Look at the Windows 7 Forensics

Furthermore a Delete Browsing History window (

Preserve Favorites website data

marked as Favourites. Essentially if a

Internet files and cookies would be preserved even though deleted using IE8.

To complement Microsoft’s care for user’s privacy, InPrivate filtering feature was developed (ZEIGLER, Andy, 2008)

attempts by a third party websites and allows blocking such attempts. User own list of blocked sites or use list predefined by Microsoft.

3.2.Suggested Sites

The new Suggested Sites feature aims to deliver website recommendation based on other users’ online activity. If user opt

Microsoft servers where stripped from identification data database. Most commonly visited websites in

him the system. It is important to note that no information i session is enabled.

The Suggested Sites capability has its own binary file called stored in C:\Users\<username>\AppData

Files\Low\folder. The file is create

its default size is 5,121 KB, regardless of the contents. Its structure is different to the

index.dattherefore it cannot be parsed by

not publish any documentation of th certain pattern can be seen.

Figure 1. Contents of the SuggestedSites.dat file, viewed in Hex editor. Referrer URLs are highlighted in yellow.

Figure 1 presents contents of the file where each character and followed by a visited URL

appears on the top bar of the browser and finally is the R

Delete Browsing History window ( Safety > Delete Browsing History > Preserve Favorites website data) now provides option for tracking data for websites

Essentially if a user added msn.com to Favourites then Temporary Internet files and cookies would be preserved even though the other history data

Microsoft’s care for user’s privacy, InPrivate filtering feature was (ZEIGLER, Andy, 2008). If enabled by user, it informs him about tracking

third party websites and allows blocking such attempts. User own list of blocked sites or use list predefined by Microsoft.

ew Suggested Sites feature aims to deliver website recommendation based on other users’ online activity. If user opt-in to use this feature, his history is analyzed and sent to Microsoft servers where stripped from identification data, it contributes to suggestion database. Most commonly visited websites in user’s category would be recommended to

. It is important to note that no information is collected while InPrivate

The Suggested Sites capability has its own binary file called SuggestedSites.dat AppData\Local\Microsoft\Windows\Temporary Internet

folder. The file is created automatically when user opts-in to use the feature and its default size is 5,121 KB, regardless of the contents. Its structure is different to the

cannot be parsed by a Pasco tool (JONES, Keith, 2003)

not publish any documentation of this particular format. When loaded into Hex editor

. Contents of the SuggestedSites.dat file, viewed in Hex editor. Visited URLs are underli Referrer URLs are highlighted in yellow.

presents contents of the file where each of the new entries is marked by

visited URL, here underlined in blue. Next is the page name as of the browser and finally is the Referrer URL, highlighted in yellow.

Piotrek Smulikowski

Safety > Delete Browsing History >

tracking data for websites user added msn.com to Favourites then Temporary

other history data has been

Microsoft’s care for user’s privacy, InPrivate filtering feature was . If enabled by user, it informs him about tracking

third party websites and allows blocking such attempts. User can specify his

ew Suggested Sites feature aims to deliver website recommendation based on other analyzed and sent to

suggestions category would be recommended to

s collected while InPrivate

SuggestedSites.datthat is Temporary Internet

in to use the feature and its default size is 5,121 KB, regardless of the contents. Its structure is different to the

(JONES, Keith, 2003). Microsoft did format. When loaded into Hex editor a

Visited URLs are underlined in Blue and

is marked by ‘

ext is the page name as highlighted in yellow.

(21)

Rest of the data is currently not recognized. The header of the file is also different to

index.datfiles. It contains unidentified data

0x60 offset as it can be seen at the

Figure 2. Contents of SuggestedSites

According to the details of the Suggested Sites functionality the history during the HTTPS sessions or

user with a control, the functionality

user decided to delete the record from the browser history analysing data in a history index.dat

information. However, in a scenario

software rather than built in method, there is a high possibility that the file was left. Currently it is the latest version of CCleaner

(PIRIFORM LTD, 2009) on a live system

3.3.Session Recovery

Microsoft boasts great improvements in lot of effort on improving reliability

Crash Recovery were introduced. It is designed to isolate rest, so that the other tabs are not affected.

developers had to introduce monitoring mechanism that records current and previous browsing session. These are stored in

Rest of the data is currently not recognized. The header of the file is also different to files. It contains unidentified data, followed by Internet Explorer version at the 0x60 offset as it can be seen at the Figure 2.

Sites.dat file with visible header underlined in red and IE Browser version highlighted in yellow.

According to the details of the Suggested Sites functionality the above file does not record during the HTTPS sessions or InPrivate mode. Additionally, in order to

the functionality is designed to delete the particular history entries if user decided to delete the record from the browser history. In a forensic examination

index.dat file should take priority since it provides more

scenario where user deleted the history using third party software rather than built in method, there is a high possibility that the SuggestedSites.dat

latest version of CCleaner that is capable of removing the file on a live system since it is protected by the OS.

improvements in the stability of a new browser. Developers spent a reliability thus new technologies like for instance

Crash Recovery were introduced. It is designed to isolate single tab that crashed from the not affected. However, in order to implement this feature developers had to introduce monitoring mechanism that records current and previous

are stored in the following folders:

Piotrek Smulikowski

Rest of the data is currently not recognized. The header of the file is also different to followed by Internet Explorer version at the

.dat file with visible header underlined in red and IE Browser version

file does not record in order to provide to delete the particular history entries if

. In a forensic examination, file should take priority since it provides more

user deleted the history using third party

SuggestedSites.dat

is capable of removing the file

new browser. Developers spent a Automatic Tab crashed from the in order to implement this feature developers had to introduce monitoring mechanism that records current and previous

(22)

Windows 7, Vista C:\Users\<username>\AppData\Local\Microsoft\ Internet Explorer\Recovery\Active

\Last Active

Windows XP C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active

\Last Active

The Activefolder stores current session data, whereas Last Activefolder keeps previous

browsing session data. Once a current session is closed, the contents of theActivefolder

are moved to theLast Active directory, thus overwriting the previously stored session.

Deleting the browser history also causes removal of the folder contents.

The session data is recorded even in InPrivate mode however, once a window is closed it automatically deletes contents ofActivefolder. In fact it is deleted only if theiexplore.exe

process terminates successfully. However, if the whole application or the whole system crashes, the contents of Activefolder are not deleted. This could create an opportunity for

forensics to recover details of InPrivate session which would be otherwise difficult to obtain. Applications of this method are mostly limited to the scenario where suspect was caught in ‘action’ and officer at the scene simply pulled the power plug.

Each of the folders contains two types of files: RecoveryStore.{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.datand {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat, which are created

on-the-fly whenever IE8 is used. The first type is used as a manager for other files, one instance is created for each of the browsing modes – normal and InPrivate, regardless of a number of windows opened. Latter type represents a single Tab and is created whenever a new one is opened. Figure 3 presents Activefolder, in this case, two modes are used,

normal and InPrivate, because two RecoveryStore files exists. On top of that multiple tabs are open. Please note that although the screenshot was taken from Windows XP the browser behaviour in this case is the same as in Windows 7.

Figure 3. Contents of the Active folder. In this example normal and InPrivate modes are used and have multiple tabs open. Note: this screenshot comes from Windows XP.

(23)

The file names are Globally Unique Identifiers (GUID) generated randomly by Windows. It is important to note that file names are generated they remain the same regardless of the contents. Therefore if a suspect used a single browser window and with a single tab for many websites, the contents of a file will change but the file name will persist.

Because the files are in a binary format, they have to be analysed with a hex editor. The RecoveryStore files do not seem to contain any comprehensible data, it is the tab files that bring more information when analysed. Figure 4 shows an example where, website URL and its name are stored in file.

Figure 4. Contents of an example tab file. URL is highlighted in grey and page name is in yellow.

However, the structure of the tab files can be very complex since the same file is used for as long as the corresponding tab is open. Therefore, if user was only using one tab for many different sites, all browsing history would be stored in a single file. It can be confusing as different sites seem to be nested in one another using some unknown data structures. The order in which the URLs appear varies and it may seem chaotic. Nevertheless in all tested examples, the first URL that is in a file was always the most recent URL.

In addition tab files can also store page specific content such as html, java scripts or xml. These are stored after a tab history, in the second part of file. As a result a tab file can increase in size substantially, from the initial 5KB, for an empty tab.

3.4.Index.dat files

Changes made to IE8, in comparison to IE7 mostly focused on adding new features rather than on redesigning the whole structure. Therefore backward compatibility is being

maintained. This has a positive impact on a forensic analysis because it allows examiner to adopt familiar techniques and tools in order to retrieve valuable information.

As in previous versions the index.datfile is used as a store for all web related data, such as

cache, history or cookies. Each of these artefacts – containers, has its own folder and a

index.datfile within it. The IE7 on Vista has introduced Protected Mode which is limited

(24)

containers a new folder called Lowexists which holds Protected Mode sub-container.

Additionally when the Internet Explorer is in the Protected Mode all add-ons are installed in a Virtualized location and a registry key:

Virtualized Location C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized

Virtualized registry key

HKCU\Software\Microsoft\Internet Explorer\Internet Registry

Containers are spread around the user’s profile application data and their locations are consistent with previous versions:

Cache

Container for storing cacheable web content like images, pages, scripts. Every entry has a source URL and name of the file in Content.IE5folder. Files are stored until expiry date is reached

C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

Visited Links

Stores clicked URL links and AutoComplete data, used to highlight visited links.

C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

History

History container for specific time frame between start date and end date.

C:\Users\<username>\AppData\Local\Microsoft\Windows\History\History.IE5\ MSHist01<startdate><enddate>\index.dat

Cookie

Container for mapping individual Cookie files to their associated URLs with additional metadata

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

RSS Feeds Cache Stores record of RSS feeds added by user

(25)

C:\Users\<username>\AppData\Local\Microsoft\Feeds Cache\index.dat

Due to the fact that the format of theindex.datfiles has not changed, examiners can use

existing tools to analyse user’s web activity for instance, Pasco by Keith Jones (JONES, Keith, 2003). It parses the binary file and exports the tab delimited text file. Figure 5 shows parsed contents of a IE8 Cache.

Figure 5. index.dat file parsed with Pasco and imported by Excel

Paths to the individual containers (PERNICK, Ari, 2006) remained unchanged therefore a lot of current forensic tools should be compatible with the new IE version correctly. One of the examples, apart from the Pasco are the NirSoft applications (SOFER, Nir, 2009). They manage to successfully retrieve cache files history or even certain passwords. However, as in Vista, most of the tools should be run ‘as Administrator’, in order to overcome privilege limitations.

(26)

4. Folder Structure

With the release of Windows Vista the Documents and Settingsfolder was discarded and

user profile was moved to Usersfolder using the Known Folder Id system. Although it did

not affect programs functionality thanks to the Reparse Points, but it required time for users to get feel comfortable using it.

In Windows 7 there are no such differences in a physical directory structure. However there are differences in a logical layout. Microsoft introduced the Library functionality which allows users to have all their files in one logical location yet having actual files distributed all over the PC or even network. Idea is similar to an audio playlist and collection of mp3 files.

Introduction of Libraries allowed for more advanced search capabilities called Federated Search. In addition Microsoft brought back the old naming scheme in a format of e.g. ‘My Documents’.

4.1.Libraries

Default Libraries are Documents, Music, Pictures, Videos, however, user can add his own types. One of the main requirements is that a folder that is added to the Library has to be indexed, as it allows for a fast searching of the contents.

Fortunately, since the new scheme affects how a third party programs handle for example ‘Save file as’ dialog box functionality, Microsoft documented Libraries feature in detail (KIRIATY, Yochay and Fliess, Alon, 2009).

The individual library files are named in the following format: <libraryname>.library-ms for example Music.library-msand are stored in the following folder:

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Libraries\

Files are stored in the XML hence their structure is clear, after initial header tags, every folder that is included in the library wrapped with the following code:

<searchConnectorDescription publisher="Microsoft" product="Windows"> <description>@shell32.dll,-34577</description> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>true</isSupported> <simpleLocation> <url>knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7}</url> <serialized>MBAAAE…. </serialized>

(27)

</simpleLocation>

</searchConnectorDescription>

From the forensic point of view

to the folder included in library. In this case it is one of the known folders e.g. Downloads. Figure 6 shows contents of the

winhexfolder added by user.

Figure 6. XML code in library

Once the feature becomes commonly used by

valuable source of information of user’s setup, where important files

Microsoft believes that Libraries could be a structure for all user files. The advantage being that user can add folders from all locally av

drive, HomeGroup or a network. Examiner

devices, locations which were used and include them in

Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded Registry in the following key:

HKLM\SOFTWARE\Microsoft\Windows Search SystemIndex\WorkingSetRules

4.2.Windows Search and Federated Search

Windows Search 4.0 has been introduced as

introduction of Libraries extended the applications of the search engine. Arrangement View allows to customize the view of library contents based on

Pictures Library, ‘by Year’ view would organise all photos in stacks fo Another feature, called Search Filter Suggestions

metadata filter and a value, in order to view files matching that criteria. Therefore, if user First Look at the Windows 7 Forensics Piotrek Smulikowski

</simpleLocation>

</searchConnectorDescription>

From the forensic point of view, the most important field is the <url>, as it shows the path

folder included in library. In this case it is one of the known folders e.g. Downloads. shows contents of the .library-ms file where highlighted in grey is the path to a

XML code in library-ms file. The included folder path is highlighted in grey

Once the feature becomes commonly used by end users then this could prove to be valuable source of information of user’s setup, where important files are being kept

lieves that Libraries could be a structure for all user files. The advantage being add folders from all locally available resources, such as an external hard

network. Examiner then could easily find important storage vices, locations which were used and include them in the investigation.

Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded

Windows Search\CrawlScopeManager\Windows\ WorkingSetRules

Windows Search and Federated Search

has been introduced as an update for the Vista; however

introduction of Libraries extended the applications of the search engine. Arrangement View to customize the view of library contents based on a metadata, for example in

‘by Year’ view would organise all photos in stacks for different years. called Search Filter Suggestions, allows user to select a predefined metadata filter and a value, in order to view files matching that criteria. Therefore, if user

Piotrek Smulikowski

as it shows the path folder included in library. In this case it is one of the known folders e.g. Downloads.

ms file where highlighted in grey is the path to a

ms file. The included folder path is highlighted in grey

s then this could prove to be are being kept.

lieves that Libraries could be a structure for all user files. The advantage being, external hard could easily find important storage

Additionally, because indexing is a prerequisite for a folder to be part of a Library, indexed locations can be investigated in order to find user specified places. They are recorded in

however, the

introduction of Libraries extended the applications of the search engine. Arrangement View metadata, for example in the

r different years. user to select a predefined metadata filter and a value, in order to view files matching that criteria. Therefore, if user

(28)

wants to find music files of a specific genre, he can ei

then possible genre types would be suggested for him to select.

Search functionality can be extended even further with the Federated Search. It allows sending queries to external data sources, such as databases o

support OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such configuration files exist for popular websites such as

When user downloads and runs the *.osdx setup file, a

<domainsearchname>.searchconnector

folder. The contents of the file are stored in XML format, the most interesting field, from the forensic perspective, is the <domain>

Figure 7.

Figure 7. Contents of Search Connector configuration file. The domain search provider is highlighted in grey

Additionally, as in Vista, user can save specific search query if it is being reused. Search details are stored in <searchname>.search

<username>\Searches\. The XML file has three significant fields:

 <scope>- determines locations to be searched e.g. C:

 <kindList>- specifies what kind of a f

 <condition>

-These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a suspect it could add important information to investigation.

4.3.User folders

Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named ‘My Documents’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear that these folders are Reparse Points to the standard, Vista

an implementation of a junction on NTFS file system, whereas junctions are logical links First Look at the Windows 7 Forensics Piotrek Smulikowski

wants to find music files of a specific genre, he can either select ‘genre:’ filter or type it in, then possible genre types would be suggested for him to select.

Search functionality can be extended even further with the Federated Search. It allows sending queries to external data sources, such as databases or web content, as long as they support OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such configuration files exist for popular websites such as YouTube or Flickr (DMEX, 2008) When user downloads and runs the *.osdx setup file, a

searchname>.searchconnector-msfile is created and stored in <username>

folder. The contents of the file are stored in XML format, the most interesting field, from the

<domain>where domain of the host is recorded, as seen on

. Contents of Search Connector configuration file. The domain search provider is highlighted in grey

Additionally, as in Vista, user can save specific search query if it is being reused.

<searchname>.search-msfile also in the same folder

. The XML file has three significant fields:

determines locations to be searched e.g. C:\Users specifies what kind of a file it is e.g. email

filters the results

These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a

dd important information to investigation.

Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named

s’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear that these folders are Reparse Points to the standard, Vista-style folders. Reparse Point is an implementation of a junction on NTFS file system, whereas junctions are logical links

Piotrek Smulikowski

ther select ‘genre:’ filter or type it in,

Search functionality can be extended even further with the Federated Search. It allows r web content, as long as they support OpenSearch technology. In practice, user can simply download Search Connector file (*.osdx) and then query contents of the website, all via Windows Explorer. Such

(DMEX, 2008).

<username>\Searches\

folder. The contents of the file are stored in XML format, the most interesting field, from the where domain of the host is recorded, as seen on

. Contents of Search Connector configuration file. The domain search provider is highlighted in grey

Additionally, as in Vista, user can save specific search query if it is being reused. The Saved file also in the same folder

Users

These search techniques will most likely be used by advanced users, therefore examiners will probably rarely need to investigate these artefacts. However if this method is used by a

Windows 7 has old, XP style, names for default user folders, unlike Vista which introduced different layout of user profile files. As a result the Documents folder is by default named

s’, other folders like Music, Pictures and Videos are also affected. When folders were examined in WinHex, which shows physical structure of files, it became clear

style folders. Reparse Point is an implementation of a junction on NTFS file system, whereas junctions are logical links

(29)

pointing to another folder on Operating System level. They are transparent; hence user rarely notices a difference between an actual folder and a Reparse Point.

Since the actual locations of the folders are consistent with the layout known from Windows Vista, forensic examiner can simply examine already known folders within the

(30)

5. New Taskbar and Jump List

One of the most prominent GUI feature in Windows 7 is the new Taskbar and the

integrated Jump List; designed as an interactive combination of quick launch shortcuts with taskbar buttons, plus application specific common tasks. It allows user to have access to most frequent tasks such as ‘Play next song’ in Windows Media Player, directly from the taskbar. Additionally user can also choose the most recent or frequent files handled by this application. This part of functionality is significant to forensics, as it could provide new sources of evidence.

Since the Windows 7 Beta was released, this feature was talked about, also in forensics community. Harlan Carvey said: “from a forensic perspective, this "Jump List" thing is just going to be a gold mine for an analyst, much like RecentDocs and UserAssist keys have been since Windows 2000” (CARVEY, Harlan, 2009).

Microsoft encourages developers to make use of these new functionalities in their software, to further integrate application to the Operating System. The company provides them with detailed documentation, video tutorials and walkthroughs on how to implement the new taskbar functionality. However, as with other features, little is known about how the features work or where data is being stored. After an extended research, on Microsoft Developers Network the following was found:

In addition to updating its list of recent documents, the Shell adds a shortcut to the user's Recent directory. The Windows 7 Taskbar uses that list and Recent directory to populate the list of recent items in the Jump Lists. (YOCHAYK, 2009)

Therefore, it is clear that recent files displayed in Jump List are the same as in the

<username>\Recentdirectory. This data is simply duplicated, only presented in a more

approachable manner to the user.

Anytime you double click on a file type with a registered handler [application that supports the file type], before Windows launches your application it automatically calls SHAddToRecentDocs on your application's behalf. This inserts the item in the Windows Recent list and eventually into the Jump List Recent Category. (YOCHAYK, 2009)

The above fragment explains mechanism in which items are added to the Windows Recent list and the Recent folder, what forms a basis for the Jump List recent items.

In addition to the recent and frequent lists, developers can add their own customized item list. This is the part that could make investigation of the Jump List worthwhile. Unless an application uses customized item list, by default a Jump List would only contain items from

First Look at the Windows 7 Forensics

Piotrek Smulikowski

First Look at the

Windows 7 Forensics

Forensic implications of the new Windows 7

Abstract

Table of Contents

1. Introduction

2. Background Research

3. Internet Explorer 8

4. Folder Structure

5. New Taskbar and Jump List