Embed Size (px)
Citation preview
1 ::: Presentation title ::: August 22, 2007
HTCIA ConferenceSan Diego, California
August 29, 2007
Windows Vista What Has Changed
2 ::: Presentation title ::: August 22, 2007
Can you guess the year?
3 ::: Presentation title ::: August 22, 2007
Java was introduced?
4 ::: Presentation title ::: August 22, 2007
Yahoo launched?
5 ::: Presentation title ::: August 22, 2007
Star Trek Voyager?
6 ::: Presentation title ::: August 22, 2007
19??
7 ::: Presentation title ::: August 22, 2007
199?
8 ::: Presentation title ::: August 22, 2007
9 ::: Presentation title ::: August 22, 2007
10 ::: Presentation title ::: August 22, 2007
Vista changes
Starting sector location
Default file and folder locations
Symbolic links
Time and date stamps
Transactional NTFS
Recycle Bin
ReadyBoost
BitLocker
Virtual Registry & Registry transaction logging
Event logs
11 ::: Presentation title ::: August 22, 2007
Master boot record
12 ::: Presentation title ::: August 22, 2007
Partition table
Old location for VBR is sector 63
New location for VBR is sector 2048
13 ::: Presentation title ::: August 22, 2007
Upgraded VBR
14 ::: Presentation title ::: August 22, 2007
Vista default folder locations
In Windows 2000, XP & 2003, the Documents and Settings folder is where each user’s profile is stored along with all their personal documents
In Vista, C:\Users is now used
15 ::: Presentation title ::: August 22, 2007
Vista default user data locations (C:\Users\...\)
16 ::: Presentation title ::: August 22, 2007
Symbolic links
Windows Vista now supports classic Unix-type Symbolic links
C:\Documents and Settings is a symbolic link
Reparse point links C:\Documents and Settings to C:\Users
17 ::: Presentation title ::: August 22, 2007
Last access date
The last access dates in Vista are not updated when a file is accessed
Registry named NtfsDisableLastAccessUpdate under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
18 ::: Presentation title ::: August 22, 2007
Transactional NTFS
Transactional NTFS provides transaction logging to NTFS
Allows file system changes to be treated and logged as a “transaction”
NTFS commits the changes IF they are completed successfully
If not the changes are aborted and rolled back
19 ::: Presentation title ::: August 22, 2007
Volume shadow copy and previous versions
The block level changes that are saved by the “previous version” feature are stored in the System Volume Information folder as part of a restore point
20 ::: Presentation title ::: August 22, 2007
Recycle Bin
The contents of the recycle bin has changed in Vista and the name of the folder itself has changed to”$Recycle.bin”
The INFO2 file in Windows 2000/XP/2003 has been removed
In Vista, two files are created when a file is deleted into the recycle bin—both have the same random looking name
A file with an “$R” at the beginning of the name = the data of the deleted file
A files with an “$I” at the beginning of the name = the path the file originally resided, as well as the date and time it was deleted
21 ::: Presentation title ::: August 22, 2007
Recycle Bin
22 ::: Presentation title ::: August 22, 2007
ReadyBoost
Allows a user to add virtual memory by using a removable flash drive
Data that is written to the removable flash disk is encrypted using AES-128 or 256 bit (depending on Group Policy) encryption before being written to the flash disk
23 ::: Presentation title ::: August 22, 2007
Registry virtualization
Vista contains a feature called “registry virtualization” as part of a security enhancement
Any write attempt by a non administrator to the: HKEY_LOCAL_MACHINE\Software registry key(s) causes the system to redirect the write into a virtual store in the user’s profile:
HKEY_USERS\<User SID>_Classes\VirtualStore\Machine\Software
http://msdn2.microsoft.com/en-us/library/aa965884.aspx
24 ::: Presentation title ::: August 22, 2007
New Registry files
C:\Boot\BCD C:\Windows\System32\config\RegBack\SECURITY C:\Windows\System32\config\RegBack\SOFTWARE C:\Windows\System32\config\RegBack\DEFAULT C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\COMPONENTS C:\Windows\System32\config\RegBack\SYSTEM C:\Windows\System32\config\BCD-Template C:\Windows\System32\config\COMPONENTS C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Windows\System32\config\SYSTEM C:\Windows\winsxs\x86_microsoft-windows-b..-bcdtemplate-
client_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCD-Template
25 ::: Presentation title ::: August 22, 2007
Windows Event Logs
Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096
26 ::: Presentation title ::: August 22, 2007
BitLocker
At the physical level, the volume will be encrypted
At the logical level, the BitLocker protected volume can be unlocked
27 ::: Presentation title ::: August 22, 2007
Temporary Internet files
The C:\Users\AppData\Local folder contains three additional Junctions
This folder structure is where the Internet history information is now stored
28 ::: Presentation title ::: August 22, 2007
Questions?
29 ::: Presentation title ::: August 22, 2007
Contact information
Rich Russell
Forensa22525 SE 64th Place, Suite 205 Issaquah, WA 98027
www.forensa.com
30 ::: Presentation title ::: August 22, 2007
ADS exposed!
