Windows Forensics: The Field Guide for Corporate Computer Investigations

The Windows 9 x systems contain legacy MS-DOS structures and as a result have a few differences in directory and file structure from the NT series of operating systems. This section covers the key differences, from a forensic standpoint, in the default directory structures and files between the operating system versions.

Directories

The default system root directory in Windows 9 x is the Windows directory as opposed to WINNT. The Program Files directory functions the same as other versions of Windows.

Because Windows 9 x was designed initially as a single user system, the concept of profiles are not as well embedded. Therefore, there is no Documents and Settings hierarchy present when first installed. The My Document directory off the root is the main repository for user information on a default installation. Likewise, temporary internet files and other data are stored directly off the %SYSTEMROOT% folder instead of in individual profiles.

If an additional user account is added to a Windows 9 x system, the operating system does create a profile hierarchy containing the desktop, documents, application, and Internet files for each user. This hierarchy is stored under %SYSTEMROOT%/Profiles/<Profile Name >. Other key directory changes include:

• Printer spool information is kept in %SYSTEMROOT%/Spool/Printers.

• The Temporary directory is %SYSTEMROOT%/Temp.

• The System32 directory hierarchy is greatly reduced and does not contain the detailed configuration information.

• Since System Restore Points are not present, a System Volume Information folder is not created.

• The main registry files are simplified and reside directly in the %SYSTEMROOT% directory.

Files

Windows 9 x contains fewer overall files and a more simplified file organization than the NT variants. This, along with a less complicated security model for files (there is effectively no security), makes analysis easier, although more likely to be necessary. The key file differences in Windows 9 x over what is noted previously are as follows :

• There is no thumbs.db file as thumbnail-based views are not present (except in Windows ME).

• The paging file is referred to as a swap file and is located under the %SYSTEMROOT% directory in a file called Win386.swp.

• The registry is stored in three files instead of the multiple files noted above:

  • %SYSTEMROOT%/System.dat stores system-based registry information.

  • %SYSTEMROOT%/User.dat stores user-based registry information. This file will be in the individual profiles if multiple users are present on the system.

• The HOSTS and LMHOSTS files are located in the %SYSTEMROOT% directory.

• There are no event viewer logs, because there is no event viewer.