SANS Computer Forensics, Investigation, and Response - Windows 7 Computer Forensics
“Windows 7 was released this past week. A lot of work by the SANS community has been accomplished at uncovering digital forensic artifacts from it. First off, Windows 7 is really Windows VISTA release 2. Many of the features that are found in Windows Vista will be found in Windows 7.
…
Here is just a few things we have helped document regarding Windows 7.
User Profiles:
With the release of Vista/Win7, Microsoft significantly changed the folder structure and mechanisms used by the operating system for user profiles. …
Internet Explorer:
The major change within Vista/Win7 that affects us when performing browser forensics is the newly implemented “Protected Mode”. …
USB Key Analysis:
…
USB Drive Enclosure Analysis:
…
Defrag Analysis:
…
Timeline Analysis:Kristinn Guðjónsson developed and released a full scope timeline creation tool called log2timeline that is able to parse many Windows Vista and Windows 7 artifacts in a single simple tool.
…
Shadow Copy Forensics
Troy Larson from Microsoft has done a wonderful job continuing to discuss the Shadow Volume Copy and ways you can examine them in an investigation. We posted back in 2008 on many of his techniques.
http://blogs.sans.org/computer-forensics/2008/10/10/shadow-forensics/
…
While this post, information and site are focused on computer forensics, that doesn’t mean the average Dev and IT’er can’t use it. ;)
No comments:
Post a Comment
NOTE: Anonymous Commenting has been turned off for a while... The comment spammers are just killing me...
ALL comments are moderated. I will review every comment before it will appear on the blog.
Your comment WILL NOT APPEAR UNTIL I approve it. This may take some hours...
I reserve, and will use, the right to not approve ANY comment for ANY reason. I will not usually, but if it's off topic, spam (or even close to spam-like), inflammatory, mean, etc, etc, well... then...
Please see my comment policy for more information if you are interested.
Thanks,
Greg
PS. I am proactively moderating comments. Your comment WILL NOT APPEAR UNTIL I approve it. This may take some hours...