encryptionwin7配置
win7配置 时间:2021-03-27 阅读:(
)
MicrosoftNetworkSecurityWindows7:CurrentEventsintheWorldofWindowsForensicsTroyLarsonSeniorForensicProgramManagerNetworkSecurity,MicrosoftCorp.
MicrosoftNetworkSecurityWhereAreWeNowVista&Windows2008–BitLocker.
–Format-Wipesthevolume.
–EXFAT.
–EventLogging—format,system,scheme.
–VirtualFolders&Registry.
–VolumeShadowCopy.
–Links,HardandSymbolic.
–ChangeJournal.
–RecycleBin.
–Superfetch.
MicrosoftNetworkSecurityWhereAreWeNowWindows7&Window2008R2–UpdatedBitLocker.
–BitLockerToGo.
–VHDs—Bootfrom,mountas"Disks.
"–XPMode.
–FlashMediaEnhancements.
–Libraries,StickyNotes,JumpLists.
–ServiceandDrivertriggers.
–I.
E.
8,InPrivateBrowsing,TabandSessionRecovery.
–EvenmoreVolumeShadowCopy.
MicrosoftNetworkSecurityDigitalForensicsSubjectMatterExpertise"Stack"ThankstoEoghanCasey.
FileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityWindows7"Disk"Notedisksignature:2E1400320x1b8-1bbMicrosoftNetworkSecurityWindows7"Disk"HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0Diskpart>AutomountscrubMicrosoftNetworkSecurityVista"Disk"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000MicrosoftNetworkSecurityPartitionsandVolumesFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"VirtualHardDrivesCreateAttachDetachDeleteMicrosoftNetworkSecurityBitLocker:Windows7Duringinstalling,Windows7createsa"SystemReserved"volume—enablingsetupofBitLocker.
InVista,theSystemvolumewasgenerally1.
5GBormore.
MicrosoftNetworkSecurityBitLocker:VistaPhysicallevelviewoftheheaderofthebootsectorofaVistaBitLockerprotectedvolume:–0xEB52902D4656452D46532D–R-FVE-FS-MicrosoftNetworkSecurityBitLocker:Windows7PhysicallevelviewoftheheaderofthebootsectorofaWindows7BitLockerprotectedvolume:–0xEB58902D4656452D46532D–X-FVE-FS-MicrosoftNetworkSecurityBitLocker:Windows7Vista&Windows2008cannotunlockBitLockervolumescreatedwithWindows7or2008R2.
ForensicstoolsmaynotrecognizethenewBitLockervolumeheader.
MustuseWindows7or2008R2toopen(andimage)BitLockervolumesfromWindows7or2008R2.
MicrosoftNetworkSecurityBitLockerRevieworImagingFileSystemDriverFvevol.
sysVolumeManagerApplicationUserModeKernelModeFVEVOL.
SYSsitsunderneaththefilesystemdriverandperformsallencryption/decryption.
Oncebooted,Windows(andtheuser)seesnodifferenceinexperience.
Theencryption/decryptionhappensatbelowthefilesystem.
MicrosoftNetworkSecurityBitLockerRevieworImagingFileSystemDriverFvevol.
sysVolumeManagerApplicationUserModeKernelModeMicrosoftNetworkSecurityBitLockerRevieworImagingThe"More/Lessinformation"buttonwillprovidetheBitLockervolumerecoverykeyidentification.
MicrosoftNetworkSecurityBitLockerRevieworImagingBitLockerRecoveryKey783F5FF9-18D4-4C64-AD4A-CD3075CB8335.
txt:BitLockerDriveEncryptionRecoveryKeyTherecoverykeyisusedtorecoverthedataonaBitLockerprotecteddrive.
Toverifythatthisisthecorrectrecoverykeycomparetheidentificationwithwhatispresentedontherecoveryscreen.
Recoverykeyidentification:783F5FF9-18D4-4CFullrecoverykeyidentification:783F5FF9-18D4-4C64-AD4A-CD3075CB8335BitLockerRecoveryKey:528748-036938-506726-199056-621005-314512-037290-524293MicrosoftNetworkSecurityBitLockerRevieworImagingEntertherecoverykeyexactly.
MicrosoftNetworkSecurityBitLockerRevieworImagingViewedorimagedaspartofaphysicaldisk,BitLockervolumesappearencrypted.
MicrosoftNetworkSecurityBitLockerRevieworImagingToviewaBitLockervolumeasitappearsinitsunlockedstate,addressitasalogicalvolume.
MicrosoftNetworkSecurityBitLockerRevieworImagingMicrosoftNetworkSecurityFileSystemsFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityFileSystemsSinceVistaSP1,Formatwipeswhileitformats.
http://support.
microsoft.
com/kb/941961Diskpart.
exe>CleanallMicrosoftNetworkSecurityFileSystems-Vista&Windows7NTFS–Symboliclinkstofiles,folders,andUNCpaths.
Bewarethe"ApplicationData"recursionloop.
Cf.
Linkfiles.
–Hardlinksareextensivelyused(\Winsxs).
–Disabledbydefault:UpdateLastAccessDate.
–Enabledbydefault:TheNTFSChangeJournal($USN:$J).
TransactionalNTFS($Tops:$T).
MicrosoftNetworkSecurityFileSystems-Vista&Windows7ThevolumeheaderofanEXFATvolume.
DoyourforensicstoolsreadEXFATMicrosoftNetworkSecurityOSArtifactsFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityOSArtifacts—Recycle.
Bin[Volume]:\$Recycle.
Bin–$Recycle.
BinisvisibleinExplorer(viewhiddenfiles).
–PeruserstoreinasubfoldernamedwithaccountSID.
–NomoreInfo2files.
–Whenafileisdeleted—movedtotheRecycleBin—itgeneratestwofilesintheRecycleBin.
–$Iand$Rfiles.
$Ior$Rfollowedbyseveralrandomcharacters,thenoriginalextension.
Therandomcharactersarethesameforeach$I/$Rpair.
$Ifilemaintainstheoriginalnameandpath,aswellasthedeleteddate.
$Rfileretainstheoriginalfiledatastreamandotherattributes.
Thenameattributeischangedto$R******.
ext.
MicrosoftNetworkSecurityOSArtifacts—Recycle.
BinNotethedeleteddate(inblue).
MicrosoftNetworkSecurityOSArtifacts—Recycle.
BinMicrosoftNetworkSecurityOSArtifacts—FolderVirtualization–PartofUserAccessControl—Standardusercannotwritetocertainprotectedfolders.
C:\WindowsC:\ProgramFilesC:\ProgramData–Toallowstandardusertofunction,anywritestoprotectedfoldersare"virtualized"andwrittentoC:\Users\[user]\AppData\Local\VirtualStoreMicrosoftNetworkSecurityOSArtifacts—RegistryVirtualizationVirtualize(HKEY_LOCAL_MACHINE\SOFTWARE)Non-administratorwritesareredirectto:HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Keysexcludedfromvirtualization–HKEY_LOCAL_MACHINE\Software\Classes–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows–HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNTMicrosoftNetworkSecurityOSArtifacts—RegistryVirtualizationLocationoftheregistryhivefilefortheVirtualStore–IsNOTtheuser'sNTUSER.
DAT–Itisstoredintheuser'sUsrClass.
dat\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.
datInvestigationofVista-Windows2008R2requirestheinvestigatortoexamineatleasttwoaccountspecificregistryhivefilesforeachuseraccount.
–NTUSER.
DAT–UsrClass.
datMicrosoftNetworkSecurityOSArtifacts—LibrariesMicrosoftNetworkSecurityOSArtifacts—Libraries\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
MicrosoftNetworkSecurityOSArtifacts—LibrariesLibrariesareXMLfiles.
MicrosoftNetworkSecurityOSArtifacts—LibrariesMicrosoftNetworkSecurityOSArtifacts—ShellThe"Recent"foldercontainslinkfilesandtwosubfoldersat\User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.
MicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—Shell"AutomaticDestination"filesareintheStructuredStoragefileformat.
MicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—ChkdskLogs\SystemVolumeInformation\ChkdskMicrosoftNetworkSecurityOSArtifacts—Superfetch\Windows\PrefetchMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeshadowcopiesarebitleveldifferentialbackupsofavolume.
–16KBblocks.
–Copyonwrite.
–VolumeShadowcopy"files"are"difference"files.
TheshadowcopyserviceisenabledbydefaultonVistaandWindows7,butnotonWindows2008or2008R2.
"Differencefiles"resideintheSystemVolumeInformationfolder.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyShadowcopiesarethesourcedataforRestorePointsandtheRestorePreviousVersionsfeatures.
Usedinbackupoperations.
Shadowcopiesprovidea"snapshot"ofavolumeataparticulartime.
Shadowcopiescanshowhowfileshavebeenaltered.
Shadowcopiescanretaindatathathaslaterbeendeleted,wiped,orencrypted.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeshadowcopiesdonotcontainacompleteimageofeverythingthatwasonthevolumeatthetimetheshadowcopywasmade.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyTheVolumeShadowCopydifferencefilesaremaintainedin"\SystemVolumeInformation"alongwithotherVSSdatafiles,includinganewregistryhive.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopy\SystemVolumeInformation\Syscache.
hveMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyvssadminlistshadows/for=[volume]:MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyShadowcopiescanbeexposedthroughsymboliclinks.
Mklink/dC:\{test-shadow}\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeShadowscanbemounteddirectlyasnetworkshares.
netsharetestshadow=\\.
\HarddiskVolumeShadowCopy11\MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopy>psexec\\[computername]vssadminlistshadows/for=C:>psexec\\[computername]netsharetestshadow=\\.
\HarddiskVolumeShadowCopy20\PsExecv1.
94-Executeprocessesremotely.
.
.
testshadowwassharedsuccessfully.
netexitedon[computername]witherrorcode0.
>robocopy/S/R:1/W:1/LOG:D:\VSStestcopylog.
txt\\[computername]\testshadowD:\vssTestLogFile:D:\VSStestcopylog.
txt.
.
.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyOtherwaystocallshadowcopies:–\\localhost\C$\Users\troyla\Downloads(Yesterday,July20,2009,12:00AM)–\\localhost\C$\@GMT-2009.
07.
17-08.
45.
26\–MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyC:\Users\Troyla\Desktop\fau-1.
3.
0.
2390a\fau\FAU.
x64>ddif=\\.
\HarddiskVolumeShadowCopy11of=E:\shadow11.
dd–localwrtTheVistaFirewallFirewallisactivewithexceptions.
Copying\\.
\HarddiskVolumeShadowCopy11toE:\shadow11.
ddOutput:E:\shadow11.
dd136256155648bytes129943+1recordsin129943+1recordsout136256155648byteswrittenSucceeded!
C:\Users\Troyla\Desktop\fau-1.
3.
0.
2390a\fau\FAU.
x64>Shadowcopiescanbeimaged.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyImagesofshadowcopiescanbeopenedinforensicstoolsandappearaslogicalvolumes.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyDatathathasbeendeletedcanbecapturedbyshadowcopiesandavailableforretrievalinshadowcopyimages.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyEveryshadowcopydatasetshouldapproximatethesizeoftheoriginalvolume.
Amountofcasedata=(numberofshadowcopies)x(sizeofthevolume)+(sizeofthevolume).
10shadowcopies=692GBMicrosoftNetworkSecurityApplications—I.
E.
8FileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityApplications—I.
E.
8"C:\ProgramFiles(x86)\InternetExplorer\iexplore.
exe"-privateMicrosoftNetworkSecurityApplications—I.
E.
8Cachedataappearstobewritten,thendeleted.
MicrosoftNetworkSecurityApplications—I.
E.
8ResidualcachefilesfromInPrivatebrowsing.
MicrosoftNetworkSecurityApplications—I.
E.
8Tabandsessionrecovery—anewsourceforhistoricalbrowsinginformation.
\User\[Account]\AppData\Local\Microsoft\InternetExplorer\RecoveryMicrosoftNetworkSecurityApplications—I.
E.
8Recoveryfile:NotetheStructuredStoragefileformat.
MicrosoftNetworkSecurityApplications—I.
E.
8MicrosoftNetworkSecurity2009MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
HostYun 商家以前是玩具主机商,这两年好像发展还挺迅速的,有点在要做点事情的味道。在前面也有多次介绍到HostYun商家新增的多款机房方案,价格相对还是比较便宜的。到目前为止,我们可以看到商家提供的VPS主机包括KVM和XEN架构,数据中心可选日本、韩国、香港和美国的多个地区机房,电信双程CN2 GIA线路,香港和日本机房,均为国内直连线路。近期,HostYun上线低价版美国CN2 GIA ...
10GBIZ服务商经常有看到隔壁的一些博客分享内容,我翻看网站看之前有记录过一篇,只不过由于服务商是2020年新成立的所以分享内容比较谨慎。这不至今已经有将近两年的服务商而且云服务产品也比较丰富,目前有看到10GBIZ服务商有提供香港、美国洛杉矶等多机房的云服务器、独立服务器和站群服务器。其中比较吸引到我们用户的是亚洲节点的包括香港、日本等七星级网络服务。具体我们看看相关的配置和线路产品。第一、香...
云雀云(larkyun)当前主要运作国内线路的机器,最大提供1Gbps服务器,有云服务器(VDS)、也有独立服务器,对接国内、国外的效果都是相当靠谱的。此外,还有台湾hinet线路的动态云服务器和静态云服务器。当前,larkyun对广州移动二期正在搞优惠促销!官方网站:https://larkyun.top付款方式:支付宝、微信、USDT广移二期开售8折折扣码:56NZVE0YZN (试用于常州联...
win7配置为你推荐
newworldNew World Group是什么组织rawtoolsTF卡被写保护了怎么办?同ip域名什么是同主机域名百度关键词工具如何通过百度官方工具提升关键词排名www.522av.com在白虎网站bhwz.com看电影要安装什么播放器?网站检测请问,对网站进行监控检测的工具有哪些?haole10.com空人电影网改网址了?www.10yyy.cn是空人电影网么抓站工具仿站必备软件有哪些工具?最好好用的仿站工具是那个几个?www.zhiboba.com上什么网看哪个电视台直播NBAdadi.tv海信电视机上出现英文tvservice是什么意思?
www二级域名 香港服务器租用99idc 如何查询ip地址 个人域名备案 免费域名跳转 ipage idc评测 photonvps 5折 linkcloud 2014年感恩节 外国域名 win8升级win10正式版 debian源 服务器架设 一元域名 国外在线代理 台湾谷歌网址 dux 百兆独享 更多