Vista Forensics
•
16 likes•2,075 views
The document provides an overview of key forensic artifacts and changes in the Windows Vista operating system. In 3 sentences: Vista introduced changes to the Recycle Bin, encryption with EFS keys on smart cards, default folder organization with junction links, registry virtualization for non-admin writes, an updated thumbnail cache format, new event log format with .evtx extension, and use of volume shadow copies for restoring previous versions of files and retrieving deleted data through differential disk imaging. Analysis of Vista systems requires examining multiple registry hives and investigating artifacts like prefetch files, volume shadow copies, and the thumbnail cache for evidentiary value.
![Operating System Artifacts ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],File Systems Fvevol.sys Volume Manager Application Artifacts OS Artifacts](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Vista Forensics
Similar to Vista Forensics (20)
More from CTIN
More from CTIN (16)
Recently uploaded
Recently uploaded (20)
Vista Forensics
- 1. Vista Forensics (Before Windows 7 Changes Things) Troy Larson Microsoft Corporation
- 4. The New Recycle Bin
- 5. The New Recycle Bin Note the deleted date (in blue). $MFT FRS of $IWYOWJ2.docx
- 6. The New Recycle Bin $MFT FRS of $RWYOWJ2.docx
- 7. The New Recycle Bin First cluster of $RWYOWJ2.docx
- 9. Default Folder Organization The legacy folders are junction links to the new folders. To navigate, follow the links.
- 12. Special Folders: IE Protected Mode IE Protected Mode http://msdn.microsoft.com/en-us/library/bb250462.aspx
- 14. File and Folder Virtualization
- 16. Registry Virtualization The virtualized registry entries are stored here.
- 24. Superfetch
- 26. Superfetch
- 27. Thumbcache
- 32. Thumbcache
- 37. Setupapi.log The location of the setupapi.log file has been changed. The new location is: C:indowsNFetupapi.dev.log
- 43. Volume Shadow Copy vssadmin list shadows /for=[volume]:
- 45. Volume Shadow Copy Shadow copies can be exposed through symbolic links.
- 46. Volume Shadow Copy Mklink /d C:test-shadow} ?LOBALROOTevicearddiskVolumeShadowCopy3
- 47. Volume Shadow Copy Shadow copy is addressed as ?LOBALROOTevicearddiskVolumeShadowCopy3
- 50. Volume Shadow Copy Shadow copies can be mounted as volumes using dosdev.exe.
- 51. Volume Shadow Copy Dosdev y: ?LOBALROOTevicearddiskVolumeShadowCopy2
- 52. Volume Shadow Copy Shadow copy is addressed as ?LOBALROOTevicearddiskVolumeShadowCopy2
- 61. Volume Shadow Copy Shadow copies can be imaged.
- 62. Volume Shadow Copy dd.Exe –v if= .arddiskVolumeShadowCopy4 of=K:hadow4.dd --localwrt
- 63. Volume Shadow Copy Shadow copy is addressed as .arddiskVolumeShadowCopy4
- 64. Volume Shadow Copy Images of shadow copies can be opened in forensics tools and appear as logical volumes.
- 66. Volume Shadow Copy Compare the imaged version to the mounted shadow copy.
- 67. Volume Shadow Copy Deleted data is captured by shadow copies, and is available for retrieval in shadow copy images.
- 68. Volume Shadow Copy Every shadow copy data set should approximate the size of the original volume. Thus, a conundrum: How to gather all the shadow copy data? Amount of case data=(number of shadow copies) x (size of the volume)+(size of the volume).
- 74. Finally