Thursday, October 29, 2009

Computer Forensics in a Windows 7 (and Vista) world

SANS Computer Forensics, Investigation, and Response - Windows 7 Computer Forensics

“Windows 7 was released this past week. A lot of work by the SANS community has been accomplished at uncovering digital forensic artifacts from it. First off, Windows 7 is really Windows VISTA release 2.  Many of the features that are found in Windows Vista will be found in Windows 7. 

Here is just a few things we have helped document regarding Windows 7.

User Profiles:

With the release of Vista/Win7, Microsoft significantly changed the folder structure and mechanisms used by the operating system for user profiles. …

Internet Explorer:

The major change within Vista/Win7 that affects us when performing browser forensics is the newly implemented “Protected Mode”. …

USB Key Analysis:

USB Drive Enclosure Analysis:

Defrag Analysis:


Timeline Analysis:

Kristinn Guðjónsson developed and released a full scope timeline creation tool called log2timeline that is able to parse many Windows Vista and Windows 7 artifacts in a single simple tool.

Shadow Copy Forensics

Troy Larson from Microsoft has done a wonderful job continuing to discuss the Shadow Volume Copy and ways you can examine them in an investigation.  We posted back in 2008 on many of his techniques.

http://blogs.sans.org/computer-forensics/2008/10/10/shadow-forensics/

image

While this post, information and site are focused on computer forensics, that doesn’t mean the average Dev and IT’er can’t use it.  ;)

Posted 10/29/2009 08:40:00 AM

Tags: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)