Thursday, October 29, 2009

Computer Forensics in a Windows 7 (and Vista) world

SANS Computer Forensics, Investigation, and Response - Windows 7 Computer Forensics

“Windows 7 was released this past week. A lot of work by the SANS community has been accomplished at uncovering digital forensic artifacts from it. First off, Windows 7 is really Windows VISTA release 2.  Many of the features that are found in Windows Vista will be found in Windows 7. 

Here is just a few things we have helped document regarding Windows 7.

User Profiles:

With the release of Vista/Win7, Microsoft significantly changed the folder structure and mechanisms used by the operating system for user profiles. …

Internet Explorer:

The major change within Vista/Win7 that affects us when performing browser forensics is the newly implemented “Protected Mode”. …

USB Key Analysis:

USB Drive Enclosure Analysis:

Defrag Analysis:

Timeline Analysis:

Kristinn Guðjónsson developed and released a full scope timeline creation tool called log2timeline that is able to parse many Windows Vista and Windows 7 artifacts in a single simple tool.

Shadow Copy Forensics

Troy Larson from Microsoft has done a wonderful job continuing to discuss the Shadow Volume Copy and ways you can examine them in an investigation.  We posted back in 2008 on many of his techniques.


While this post, information and site are focused on computer forensics, that doesn’t mean the average Dev and IT’er can’t use it.  ;)

No comments: