On a default Windows 7 installation, this list includes temporary files (as in those in the “%TEMP%” directory), the pagefile, hibernation file (if one exists), the Offline Files Cache, Internet Explorer “index.dat” files, as well as number of log file directories. The names should be pretty self-explanatory, but just in case, the FilesNotToBackup key contains a list of files and directories that (according to Microsoft additional information is available at (v=vs.85).aspx) backup applications should not backup and restore. HKLM\System\CurrentControlSet\Control\BackupRestoreīeneath this key are three subkeys: FilesNotToBackup, FilesNotToSnapshot, and KeysNotToRestore. There’s another key within the System hive that affects VSC behavior: Also, forensic analysts examining Vista and Windows 7 systems that do not appear to have any VSCs available should check this key to see if the service had been disabled prior to the system being acquired. As such, care should be taken in disabling this service on production systems.
However, it is important to understand that disabling the VSS may affect other applications aside from just disabling VSCs, such as Windows Backup. HKLM\System\CurrentControlSet\Services\VSS As this is a Windows service, the primary key of interest is: Registry KeysĪs you’d expect, there are several Registry keys that have a direct impact on the performance of the VSS, the service that supports the various functions that lead to VSCs. Accessing these files can provide not just historical data (e.g., previous contents, etc.) but additional analysis can be conducted by comparing the available versions over time. Okay, so what does this mean to the forensic analyst? From an analyst’s perspective, there is a great deal of historical information within backed-up files. Windows 7 Previous Versions shell extension. However, System Restore Points do not back up everything on a system for example, user data files are not backed up (and are therefore not restored, either), and all of the data (specifically, the passwords) in the SAM hive of the Registry are not backed up, as you wouldn’t want users to restore their systems to a previous point in time and have them not be able to access their systems, as a previous password (which they may not remember) had been restored.įigure 3.2.
Users could revert the core functionality of their systems to a previous state through the System Restore functionality, effectively recovering it to a previous state. This proved to be a useful functionality, particularly when a user installed something (application, driver, etc.) that failed to work properly, or the system became infected with malware of some kind.
Windows XP System Restore Point functionality.Īs illustrated in Figure 3.1, users can not only create Restore Points, but they can also restore the computer to an earlier time.
0 kommentar(er)
