The purpose of this article is to give a brief intro to many different areas of a Windows installation that may be worth investigating, depending on the nature of the investigation. (These are further elaborated on in the “Windows Forensics” file. This is meant to be a simple, almost ‘executive summary’ description of the OS layout. A further file would discuss the specifics of anything mentioned here. This is meant to be read after the Intro to Disk forensics)
As mentioned, an OS needs to store different types of information on a hard disk, to be able to answer the following questions:
Windows spreads the data needed to answer these questions in a few locations on the hard disk.
Specific locations include:
The Registry stores user and system data. It uses a layout similar to a filesystem, but instead of calling the entries files and folders, the entries are values and keys.
The advantage of using the Registry over using configuration files is that all the information is stored in a single location, making it easier to access, manage, and backup.
The User Profile folder stores the data for each user. A user’s Desktop, Documents, Pictures, and Application Data folder are all stored in here.
The Application Data folder is used by programs to store large amounts of user-specific data.
The prefetcher watches which files are accessed when a commonly used program starts running and loads them in advance, to make programs start faster. The results from the monitoring, called traces, are stored in the prefetch folder.
When a person runs a program or opens a document, Windows adds it to a list of recently used files. This makes it easier for a user to quickly launch a recently used program or access a recently used file.
To answer the previous questions: