To start with Looks: Essential Examinations of Windows Vista. Spear Mueller Case Proof Record. If it's not too much trouble begin EnCase load the specimen Windows Vista EnCase proof document. The Proof record is situated here: C:\Evidence\Mueller
Example Evidence File Please begin EnCase load the specimen Windows Vista EnCase proof document. The Evidence record is situated here: C:\Evidence\Mueller As we stroll through the different changes and relics in Windows Vista, you are urged to look at these progressions and investigate the Vista proof document. If it\'s not too much trouble don\'t hesitate to make inquiries or make remarks, I have 45 slides to present in an hour and a half so you crunch the numbers ;)

Introduction Windows Vista is the new Microsoft Operating System that was discharged to people in general toward the start of 2007 This segment is intended to give an outline of the new component and contrasts with past adaptations of Windows from the legal viewpoint. There are numerous progressions to the new Vista Operating System contrasted and Window XP or Windows 2000, a large portion of them in the client interface. This presentation won\'t cover trifling UI changes in the event that it doesn\'t have an immediate effect on how a measurable exam is directed. This presentation does not portray every conceivable change that impacts scientific examinations, yet rather it covers the most center zones an inspector will experience and clarifies what impact a specific Vista highlight may have on directing a legal examination.

Agenda File System Changes NTFS Version & Structure Volume Boot Record Symbolic Links Last Access Times USNJRNL

Agenda Operating System Changes Vista Versions Directory Structure Changes Volume Shadow Service/Previous Version highlight Registry Changes Virtualized Folders Recycle Bin Event Logs Windows Search Engine (Indexing) Public Folders Windows Photo Gallery Contact Manager Sleep Mode

Agenda Windows Mail Windows Firewall Thumbnail Cache ReadyBoost Accessing Physical Memory Other Relevant changes Bitlocker

NTFS Version

NTFS Version

Volume Boot Record Common area for VBR utilizing a hard commute with 63SPT. (PS63) New area of VBR in Vista (PS2048)

Symbolic Links Windows Vista now bolsters fantastic Unix-sort Symbolic connections. This is truly an extra element to the officially leaving reparse point highlight of the NTFS record framework. Reparse focuses were presented in Windows 2000 and offered a few one of a kind components: Junctions – Allows a client to join one organizer in the record framework tree onto another envelope Hard Link – Allows a client to make numerous connections to the same information. For all plan and purposes every connection was the same as the first and difficult to tell which was the first. Mount Points – Allows a client to join a volume onto a current organizer. Typical Link (Vista just) – The new Vista Symbolic connection highlight is unique in relation to a hard connection as they can indicate documents & envelopes (Hard connections can just indicate records) and in addition objects on different volumes or system offers. A default establishment of Windows Vista has a few events of typical connections which we will look at in the Operating System changes segment further in this presentation.

Symbolic Links

Last Access Dates The last get to dates in Windows Vista are no more redesigned when a record is gotten to. Microsoft clarifies that with all the new record framework value-based journaling, it was fairly an execution hit so they have impaired them naturally. In Windows Vista, this element is empowered as a matter of course. This element can be killed through a registry key. This default setting clearly has an extreme effect on how a few sorts of cases are investigated and inspectors ought to take awesome consideration when utilizing these date stamps as a feature of their examination.

$USNJRNL The USN Journal is a NTFS logging component that logs different exchanges that happen on the document framework. This element is accessible in Windows 2000, Windows XP and Windows 2003, however it is handicapped as a matter of course. In Windows Vista, this component in empowered as a matter of course, therefore bringing about a verbose log to be made of different record framework changes. These progressions are composed to an interior NTFS metadata document named “$USNJRNL” and particularly into an other information stream of that record. Different relics, for example, filenames, date stamps a MFT record numbers can be situated in this diary and it ought to be investigated as well as hunt in Unicode when looking down particular filenames.

Operating System Versions Feature accessibility of diverse Vista Versions: BitLocker – Enterprise & Ultimate (Enterprise just when individual from area) Windows Volume Shadow Service (VSS) – Business, Enterprise & Ultimate Encrypting File System (EFS) - Business, Enterprise & Ultimate Able to join space - Business, Enterprise & Ultimate Remote Desktop server - Business, Enterprise & Ultimate Offline records and envelope support - Business, Enterprise & Ultimate IIS Web Server - Business, Enterprise & Ultimate

Directory Structure Changes Windows Vista has changed a large portion of the regular catalogs we are acclimated to taking a gander at while doing a legal examination. The greatest change is the place the client profiles are put away. In Windows 2000, XP & 2003, the Documents and Settings organizer is the place every clients profile is put away alongside all their own records. In Windows Vista, the new way of C:\Users is currently utilized.

Directory Structure Changes In the past figure you can see a few Junctions are currently used to divert to an alternate area, for example, Documents and Settings organizer and the Default User envelope. C:\Documents & Settings - > C:\Users (Junction) C:\Users\All Users - - > C:\ProgramData (Symbolic Link) C:\Users\Default Users - - > C:\Users\Default (Junction)

Directory Structure Changes Under every client organizer, there are extra envelopes and Junction focuses.

Directory Structure Changes The accompanying outline appears where every Junction appeared in the past figure focuses to: <username>\Application Data-> \<username>\AppData\Roaming <username>\Cookies->\<username>\AppData\Roaming\Microsoft\Windws\Cookies <username>\Local Settings->\<username>\AppData\Local <username>\My Documents->\<username>\Documents <username>\NetHood->\<username>\AppData\Roaming\Microsof\Windows\Network Shortcuts <username>\PrintHood->\<username>\AppData\Roaming\Microsof\Windows\Printer Shortcuts <username>\Recent->\<username>\AppData\Roaming\Microsof\Windows\Recent <username>\SendTo->\<username>\AppData\Roaming\Microsof\Windows\SendTo <username>\Start Menu->\<username>\AppData\Roaming\Microsoft\Windows\Start Menu <username>\Templates->\<username>\AppData\Roaming\Microsof\Windows\Templates

Directory Structure Changes Under the Documents organizer there are three extra Junctions: <username>\Documents\My Music-> \<username>\Music <username>\Documents\My Picture-> \<username>\Pictures <username>\Documents\My Videos-> \<username>\Videos

moreover, the C:\Users\AppData\Local envelope contains three extra Junctions. This organizer structure is the place the Internet history data is presently put away.

Public Folders In Windows XP, an envelope named All Users was situated under the Documents & Settings organizer which served as a structure that was available by all clients. In Vista, this has been changed and is called ”Public”. Any records or organizers situated under the “public” envelope are open by everybody. Note that the structure in a live machine is diverse that what is seen from a scientific perspective.

Volume Shadow Service/Previous Version The Volume Shadow Service was initially presented in Windows XP in a restricted manner and afterward further upgraded in Windows 2003 Server and its objective was to make duplicates of critical records that could then be securely moved down without having document locking issues. It was off as a matter of course and just a predetermined number of records or indexes could be shadowed in Windows 2003.

Volume Shadow Service/Previous Version The piece level changes that are spared by the “previous version” highlight are put away in the System Volume Information envelope as a major aspect of a restore point. This information is not scrambled (missing bitlocker) and can be effortlessly looked utilizing the EnCase hunt highlight. In the base of the “System Volume Information” envelope, a few documents can be seen with GUIDs as the filename.

Registry Several new registry records have been added to Windows Vista. The accompanying rundown speaks to all the registry hives on a default Vista framework: C:\Boot\BCD C:\Windows\System32\config\RegBack\SECURITY C:\Windows\System32\config\RegBack\SOFTWARE C:\Windows\System32\config\RegBack\DEFAULT C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\COMPONENTS C:\Windows\System32\config\RegBack\SYSTEM C:\Windows\System32\config\BCD-Template C:\Windows\System32\config\COMPONENTS C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Windows\System32\config\SYSTEM C:\Windows\winsxs\x86_microsoft-windows-b..- bcdtemplate-client_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCD-Template

Registry The user’s NTUSER.DAT document is still situated in the foundation of the user’s root organizer (C:\Users\<username>). Notice that Windows Vista now utilizes the “REGBACK” envelope rather than the “REPAIR” organizer that Windows 2000/XP/2003 utilization for reinforcement duplicates of the registry.

Registry virtualization Window

