Anti-Malware Windows Defender Pop-Ups Slow Performance Spyware Software Explorer Windows Live OneCare (Spyware & Anti- Virus) Real-Time Protection
Data Protection Offline Attacks BitLocker Drive Encryption Trusted Platform Module (Secure Generation of Cryptographic Keys Encrypted File System
Benefits to Investigations Control, Ownership & Intent Varying levels of Users New methods of Authentication Scheduled Backup & Restore Automatic Shadow Copy by Default 15% of Volume Reserved
Challenges to Investigators Encryption BitLocker Drive Encryption Hard Drive (AES – TPM) Encrypted File System Encrypted E-Mail Windows Mail Reduction in Metadata Automatic Defragmentation
Event Logging Time, SID, Source, Message More than 50 Logs by Default C:/Windows/system32/winevt/Logs/ Application.evtx HardwareEvents.evtx Internet Explorer.evtx Security.evtx Setup.evtx. System.evtx, More…..
Changes in Evidence System Time Event Events are XML but Encoded rather in BXML Practical Test on Windows XP and Vista Person wants to Change the System Time after the Crime Possible in Both, but shown only in Vista
Disk Defragmentation Works Same way in XP as in Vista Simplified GUI but More Concern to Investigators Disk Fragmentation is Scheduled to Work Automatically Implication with Regard to Recovery of Deleted Files
Last Access Dates In Windows XP are no Longer Updated In Windows Vista, this Feature is Enabled by Default This Default Setting Obviously has a Severe Impact Date Stamps as Part of their Analysis.
Windows Firewall Filter Incoming and Outgoing Network Connections From a Forensic Perspective - Logging Mechanism The Log is Disabled by Default C:\windows\system32\LogFiles\Firewall\pfirewall.log
Windows Search Engine Windows Vista - New Search Engine and Indexing Feature Users can Now Save their Searches and Review the Results C:\Users\XXXX\Searches The Indexing Service - Quickly Locate Files “C:\ProgramData\Microsoft\Search\Data\Appliations \Windows\Projects\systemIndex\Indexer\CiFiles” Vista maintains Several Index Files
Shadow Volume Copy Act as a Block Device A layer Between the Device & File System Application Writes Data to Disk Upon Write, Overwritten Block Moves to Shadow Copy Shadow Copy Holds only Blocks that Changed