To start with Looks: Fundamental Examinations of Windows Vista.

Uploaded on:
Category: Education / Career
To start with Looks: Essential Examinations of Windows Vista. Spear Mueller Case Proof Record. If it's not too much trouble begin EnCase load the specimen Windows Vista EnCase proof document. The Proof record is situated here: C:\Evidence\Mueller
Slide 1

In the first place Looks: Basic Investigations of Windows Vista Lance Mueller

Slide 2

Example Evidence File Please begin EnCase load the specimen Windows Vista EnCase proof document. The Evidence record is situated here: C:\Evidence\Mueller As we stroll through the different changes and relics in Windows Vista, you are urged to look at these progressions and investigate the Vista proof document. If it\'s not too much trouble don\'t hesitate to make inquiries or make remarks, I have 45 slides to present in an hour and a half so you crunch the numbers ;)

Slide 3

Introduction Windows Vista is the new Microsoft Operating System that was discharged to people in general toward the start of 2007 This segment is intended to give an outline of the new component and contrasts with past adaptations of Windows from the legal viewpoint. There are numerous progressions to the new Vista Operating System contrasted and Window XP or Windows 2000, a large portion of them in the client interface. This presentation won\'t cover trifling UI changes in the event that it doesn\'t have an immediate effect on how a measurable exam is directed. This presentation does not portray every conceivable change that impacts scientific examinations, yet rather it covers the most center zones an inspector will experience and clarifies what impact a specific Vista highlight may have on directing a legal examination.

Slide 4

Agenda File System Changes NTFS Version & Structure Volume Boot Record Symbolic Links Last Access Times USNJRNL

Slide 5

Agenda Operating System Changes Vista Versions Directory Structure Changes Volume Shadow Service/Previous Version highlight Registry Changes Virtualized Folders Recycle Bin Event Logs Windows Search Engine (Indexing) Public Folders Windows Photo Gallery Contact Manager Sleep Mode

Slide 6

Agenda Windows Mail Windows Firewall Thumbnail Cache ReadyBoost Accessing Physical Memory Other Relevant changes Bitlocker

Slide 7

NTFS Version

Slide 8

NTFS Version

Slide 9

Volume Boot Record Common area for VBR utilizing a hard commute with 63SPT. (PS63) New area of VBR in Vista (PS2048)

Slide 10

Symbolic Links Windows Vista now bolsters fantastic Unix-sort Symbolic connections. This is truly an extra element to the officially leaving reparse point highlight of the NTFS record framework. Reparse focuses were presented in Windows 2000 and offered a few one of a kind components: Junctions – Allows a client to join one organizer in the record framework tree onto another envelope Hard Link – Allows a client to make numerous connections to the same information. For all plan and purposes every connection was the same as the first and difficult to tell which was the first. Mount Points – Allows a client to join a volume onto a current organizer. Typical Link (Vista just) – The new Vista Symbolic connection highlight is unique in relation to a hard connection as they can indicate documents & envelopes (Hard connections can just indicate records) and in addition objects on different volumes or system offers. A default establishment of Windows Vista has a few events of typical connections which we will look at in the Operating System changes segment further in this presentation.

Slide 11

Symbolic Links

Slide 12

Last Access Dates The last get to dates in Windows Vista are no more redesigned when a record is gotten to. Microsoft clarifies that with all the new record framework value-based journaling, it was fairly an execution hit so they have impaired them naturally. In Windows Vista, this element is empowered as a matter of course. This element can be killed through a registry key. This default setting clearly has an extreme effect on how a few sorts of cases are investigated and inspectors ought to take awesome consideration when utilizing these date stamps as a feature of their examination.

Slide 13

$USNJRNL The USN Journal is a NTFS logging component that logs different exchanges that happen on the document framework. This element is accessible in Windows 2000, Windows XP and Windows 2003, however it is handicapped as a matter of course. In Windows Vista, this component in empowered as a matter of course, therefore bringing about a verbose log to be made of different record framework changes. These progressions are composed to an interior NTFS metadata document named “$USNJRNL” and particularly into an other information stream of that record. Different relics, for example, filenames, date stamps a MFT record numbers can be situated in this diary and it ought to be investigated as well as hunt in Unicode when looking down particular filenames.

Slide 14

Operating System Versions Feature accessibility of diverse Vista Versions: BitLocker – Enterprise & Ultimate (Enterprise just when individual from area) Windows Volume Shadow Service (VSS) – Business, Enterprise & Ultimate Encrypting File System (EFS) - Business, Enterprise & Ultimate Able to join space - Business, Enterprise & Ultimate Remote Desktop server - Business, Enterprise & Ultimate Offline records and envelope support - Business, Enterprise & Ultimate IIS Web Server - Business, Enterprise & Ultimate

Slide 15

Directory Structure Changes Windows Vista has changed a large portion of the regular catalogs we are acclimated to taking a gander at while doing a legal examination. The greatest change is the place the client profiles are put away. In Windows 2000, XP & 2003, the Documents and Settings organizer is the place every clients profile is put away alongside all their own records. In Windows Vista, the new way of C:\Users is currently utilized.

Slide 16

Directory Structure Changes In the past figure you can see a few Junctions are currently used to divert to an alternate area, for example, Documents and Settings organizer and the Default User envelope. C:\Documents & Settings - > C:\Users (Junction) C:\Users\All Users - - > C:\ProgramData (Symbolic Link) C:\Users\Default Users - - > C:\Users\Default (Junction)

Slide 17

Directory Structure Changes Under every client organizer, there are extra envelopes and Junction focuses.

Slide 18

Directory Structure Changes The accompanying outline appears where every Junction appeared in the past figure focuses to: <username>\Application Data-> \<username>\AppData\Roaming <username>\Cookies->\<username>\AppData\Roaming\Microsoft\Windws\Cookies <username>\Local Settings->\<username>\AppData\Local <username>\My Documents->\<username>\Documents <username>\NetHood->\<username>\AppData\Roaming\Microsof\Windows\Network Shortcuts <username>\PrintHood->\<username>\AppData\Roaming\Microsof\Windows\Printer Shortcuts <username>\Recent->\<username>\AppData\Roaming\Microsof\Windows\Recent <username>\SendTo->\<username>\AppData\Roaming\Microsof\Windows\SendTo <username>\Start Menu->\<username>\AppData\Roaming\Microsoft\Windows\Start Menu <username>\Templates->\<username>\AppData\Roaming\Microsof\Windows\Templates

Slide 19

Directory Structure Changes Under the Documents organizer there are three extra Junctions: <username>\Documents\My Music-> \<username>\Music <username>\Documents\My Picture-> \<username>\Pictures <username>\Documents\My Videos-> \<username>\Videos

Slide 20

moreover, the C:\Users\AppData\Local envelope contains three extra Junctions. This organizer structure is the place the Internet history data is presently put away.

Slide 21

Public Folders In Windows XP, an envelope named All Users was situated under the Documents & Settings organizer which served as a structure that was available by all clients. In Vista, this has been changed and is called ”Public”. Any records or organizers situated under the “public” envelope are open by everybody. Note that the structure in a live machine is diverse that what is seen from a scientific perspective.

Slide 22

Volume Shadow Service/Previous Version The Volume Shadow Service was initially presented in Windows XP in a restricted manner and afterward further upgraded in Windows 2003 Server and its objective was to make duplicates of critical records that could then be securely moved down without having document locking issues. It was off as a matter of course and just a predetermined number of records or indexes could be shadowed in Windows 2003.

Slide 23

Volume Shadow Service/Previous Version The piece level changes that are spared by the “previous version” highlight are put away in the System Volume Information envelope as a major aspect of a restore point. This information is not scrambled (missing bitlocker) and can be effortlessly looked utilizing the EnCase hunt highlight. In the base of the “System Volume Information” envelope, a few documents can be seen with GUIDs as the filename.

Slide 24

Registry Several new registry records have been added to Windows Vista. The accompanying rundown speaks to all the registry hives on a default Vista framework: C:\Boot\BCD C:\Windows\System32\config\RegBack\SECURITY C:\Windows\System32\config\RegBack\SOFTWARE C:\Windows\System32\config\RegBack\DEFAULT C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\COMPONENTS C:\Windows\System32\config\RegBack\SYSTEM C:\Windows\System32\config\BCD-Template C:\Windows\System32\config\COMPONENTS C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Windows\System32\config\SYSTEM C:\Windows\winsxs\x86_microsoft-windows-b..- bcdtemplate-client_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCD-Template

Slide 25

Registry The user’s NTUSER.DAT document is still situated in the foundation of the user’s root organizer (C:\Users\<username>). Notice that Windows Vista now utilizes the “REGBACK” envelope rather than the “REPAIR” organizer that Windows 2000/XP/2003 utilization for reinforcement duplicates of the registry.

Slide 26

Registry virtualization Window

View more...