top of page
Search

Forensic Differences Between Windows 10 and Windows 11

  • Jun 28
  • 3 min read
ree
Note to My Readers:
I apologize for not being very active on the website or posting new articles over the past few weeks. I've been dealing with some personal matters that have required my attention. I appreciate your patience and understanding during this time. I’ll be back to writing and updating the site as soon as things settle down. Thank you for your continued support.

Windows, developed by Microsoft, has been a cornerstone of personal and professional computing since its debut in 1985. As of March 2022, Windows holds a dominant global market share of 75.7%, making it the most widely used operating system worldwide. Among these installations, 74.82% run Windows 10, while 8.45% have transitioned to Windows 11. Microsoft reports that over 1.4 billion devices globally are running either Windows 10 or 11 (Microsoft, 2022a).


Microsoft plans to support at least one version of Windows 10 until October 14, 2025. As the end of Windows 10 support nears, the adoption of Windows 11 is expected to rise significantly. This shift underscores the importance for digital forensic examiners to understand the differences and similarities between these two operating systems, especially in terms of investigative artifacts and security features.


There is a great article written by Andrew Rathbun: Covering entire sharing link you can check it out

Forensic Artifacts

This section reviews whether key artifacts from Windows 10 persist in Windows 11 and highlights any forensic differences. Below is a detailed analysis of prominent artifacts.


  • LNK Files and Jump Lists

The Shell Link (.LNK) Binary File Format underwent revisions in June 2021, but no significant forensic changes were identified. Similarly, Jump Lists, which are collections of .LNK files associated with applications, remain unchanged between Windows 10 and 11.


  • $Recycle_Bin Metadata Files

Metadata files within the Recycle Bin ($I30) show no observable differences between Windows 10 and 11.


  • Amcache

The Amcache artifact is identical in both Windows 10 and 11.


  • Registry Hives

Registry hives in Windows 11 exhibit significant changes, with over 35,000 added or removed Keys and Values compared to Windows 10. While these changes currently lack forensic significance, ongoing research is essential given the volume of modifications.

The Registry hives affected were the following:

  • BCD-Template

  • COMPONENTS

  • DEFAULT

  • DRIVERS

  • ELAM

  • NTUSER.dat

  • SAM

  • SECURITY

  • SOFTWARE

  • SYSTEM

  • UsrClass.dat


  • Windows Timeline

The Windows Timeline feature, introduced in Windows 10, was removed in Windows 11 However, its database, ActivitiesCache.db, still exists in Windows 11.


  • Prefetch

No differences were found in the Prefetch (.pf) files between Windows 10 and 11.


  • Event Logs

Comparative analysis revealed that Windows 11 introduced new Event Providers and updated or removed others compared to Windows 10.


  • Shellbags

Shellbags, which track folder navigation, operate identically in Windows 10 and 11. Folder creation and navigation yielded identical results in both systems.


  • Windows Search Index (.ESE) Database

The Windows Search Index artifact (Windows.edb) retains its structure but exhibits notable differences in Windows 11. The SystemIndex_PropertyStore table in Windows 11 has an additional column, System_Setting_SettingsEnvironmentID, and a table number change from #17 (Windows 10) to #15 (Windows 11).


Additionally, Windows 11’s ESE engine version (9400) differs from Windows 10’s (9180), which affects database repair compatibility.

  • Web Browsers

Edge Chromium 101.0.1210.53 produced identical artifacts on both Windows 10 and 11.


  • ShimCache (AppCompatCache)

ShimCache functions similarly in Windows 10 and 11.


  • SQLite Databases

Windows 10 and 11 share many SQLite databases, commonly found in browser artifacts and system files. Research indicates these databases remain consistent between the two versions.


  • Directory Listings

A GitHub repository, https://github.com/AndrewRathbun/VanillaWindowsReference, offers directory listings for various Windows versions. A comparison between Windows 10 and 11 reveals differences in file and folder structures, useful for forensic research.



Security Features in Windows 11

  • Trusted Platform Module 2.0 is mandatory for Windows 11, ensuring hardware-based security for all devices.

  • Windows 11 supports secure, passwordless access through TPM 2.0, reducing credential theft risks with multifactor authentication.

  • Hypervisor-Protected Code Integrity (HVCI) :- Enabled by default on new installations, this feature uses virtualization to enhance memory integrity and protect against exploits.

  • Transport Layer Security 1.3 is the default, improving encryption protocols and reducing handshake times. TLS 1.2 is supported as a fallback.

  • DNS Over HTTPS :- This protocol encrypts DNS queries, protecting against attackers who monitor or redirect traffic.

  • SMB Protocol Enhancements :- Updates include AES-256 encryption, SMB over QUIC for untrusted networks, and accelerated signing for improved file service security.

  • Enhanced Wi-Fi security with WPA3 and Opportunistic Wireless Encryption ensures better protection on public networks.



Conclusion

While Windows 11 shares many similarities with Windows 10, its security upgrades and new features present opportunities and challenges for DFIR professionals. Ongoing research will be vital as Microsoft delivers yearly updates, introducing potential new artifacts and forensic considerations.


Do not forget to check out the article written by Andrew Rathbun. Link mentioned above. Take care for now, See ya in next article

--------------------------------------------------Dean----------------------------------------


 
 
 
bottom of page