The purpose of this article is to give a brief intro to many different areas of a Windows installation that may be worth investigating, depending on the nature of the investigation. (These are further elaborated on in the “Windows Forensics” file. This is meant to be a simple, almost ‘executive summary’ description of the OS layout. A further file would discuss the specifics of anything mentioned here. This is meant to be read after the Intro to Disk forensics) 

As mentioned, an OS needs to store different types of information on a hard disk, to be able to answer the following questions: 

  • How can it boot the OS? 
    • It needs the required programs and files that are needed to run the OS. 
  • What devices were attached? 
  • How do we know who can logon to the machine? 
    • It needs the users and their passwords
  • Where are a users files stored? 
  • How are users prevented from accessing things belonging to other users? 
    • We need to store Access Control, or who is allowed to access what. 
  • How can the OS run faster, and be more user-friendly? 
    • It can store data for programs that are frequently ran. 

Windows spreads the data needed to answer these questions in a few locations on the hard disk. 

Specific locations include: 

  • Registry 
  • User Profile folder 
  • Application Data folder 
  • Prefetch 
  • Most Recently Used (MRU) 

Windows Registry 

The Registry stores user and system data. It uses a layout similar to a filesystem, but instead of calling the entries files and folders, the entries are values and keys. 

The advantage of using the Registry over using configuration files is that all the information is stored in a single location, making it easier to access, manage, and backup. 

User Profile 

The User Profile folder stores the data for each user. A user’s Desktop, Documents, Pictures, and Application Data folder are all stored in here.

Application Data 

The Application Data folder is used by programs to store large amounts of user-specific data. 

Prefetch Folder

The prefetcher watches which files are accessed when a commonly used program starts running and loads them in advance, to make programs start faster. The results from the monitoring, called traces, are stored in the prefetch folder. 

MRU 

When a person runs a program or opens a document, Windows adds it to a list of recently used files. This makes it easier for a user to quickly launch a recently used program or access a recently used file.

To answer the previous questions: 

  • How can it boot the OS? 
    • It needs the required programs and files that are needed to run the OS. 
      • These are stored in the Windows folder
  • What devices were attached? 
    • This is stored in the Windows Registry 
  • How do we know who can logon to the machine? 
    • It needs the users and their passwords
      • This is stored in the Windows Registry
  • Where are a users files stored? 
    • This is stored in the User Profile folder. 
  • How are users prevented from accessing things belonging to other users? 
    • We need to store Access Control, or who is allowed to access what. 
      • This is stored inside the filesystem. 
  • How can the OS run faster, and be more user-friendly? 
    • It can store data for programs that are frequently ran. 
      • This is done with the MRU