encryptionwin7配置
win7配置 时间:2021-03-27 阅读:(
)
MicrosoftNetworkSecurityWindows7:CurrentEventsintheWorldofWindowsForensicsTroyLarsonSeniorForensicProgramManagerNetworkSecurity,MicrosoftCorp.
MicrosoftNetworkSecurityWhereAreWeNowVista&Windows2008–BitLocker.
–Format-Wipesthevolume.
–EXFAT.
–EventLogging—format,system,scheme.
–VirtualFolders&Registry.
–VolumeShadowCopy.
–Links,HardandSymbolic.
–ChangeJournal.
–RecycleBin.
–Superfetch.
MicrosoftNetworkSecurityWhereAreWeNowWindows7&Window2008R2–UpdatedBitLocker.
–BitLockerToGo.
–VHDs—Bootfrom,mountas"Disks.
"–XPMode.
–FlashMediaEnhancements.
–Libraries,StickyNotes,JumpLists.
–ServiceandDrivertriggers.
–I.
E.
8,InPrivateBrowsing,TabandSessionRecovery.
–EvenmoreVolumeShadowCopy.
MicrosoftNetworkSecurityDigitalForensicsSubjectMatterExpertise"Stack"ThankstoEoghanCasey.
FileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityWindows7"Disk"Notedisksignature:2E1400320x1b8-1bbMicrosoftNetworkSecurityWindows7"Disk"HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0Diskpart>AutomountscrubMicrosoftNetworkSecurityVista"Disk"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1&19f7e59c&0&Signature2E140032Offset100000Length114FD00000MicrosoftNetworkSecurityPartitionsandVolumesFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"VirtualHardDrivesCreateAttachDetachDeleteMicrosoftNetworkSecurityBitLocker:Windows7Duringinstalling,Windows7createsa"SystemReserved"volume—enablingsetupofBitLocker.
InVista,theSystemvolumewasgenerally1.
5GBormore.
MicrosoftNetworkSecurityBitLocker:VistaPhysicallevelviewoftheheaderofthebootsectorofaVistaBitLockerprotectedvolume:–0xEB52902D4656452D46532D–R-FVE-FS-MicrosoftNetworkSecurityBitLocker:Windows7PhysicallevelviewoftheheaderofthebootsectorofaWindows7BitLockerprotectedvolume:–0xEB58902D4656452D46532D–X-FVE-FS-MicrosoftNetworkSecurityBitLocker:Windows7Vista&Windows2008cannotunlockBitLockervolumescreatedwithWindows7or2008R2.
ForensicstoolsmaynotrecognizethenewBitLockervolumeheader.
MustuseWindows7or2008R2toopen(andimage)BitLockervolumesfromWindows7or2008R2.
MicrosoftNetworkSecurityBitLockerRevieworImagingFileSystemDriverFvevol.
sysVolumeManagerApplicationUserModeKernelModeFVEVOL.
SYSsitsunderneaththefilesystemdriverandperformsallencryption/decryption.
Oncebooted,Windows(andtheuser)seesnodifferenceinexperience.
Theencryption/decryptionhappensatbelowthefilesystem.
MicrosoftNetworkSecurityBitLockerRevieworImagingFileSystemDriverFvevol.
sysVolumeManagerApplicationUserModeKernelModeMicrosoftNetworkSecurityBitLockerRevieworImagingThe"More/Lessinformation"buttonwillprovidetheBitLockervolumerecoverykeyidentification.
MicrosoftNetworkSecurityBitLockerRevieworImagingBitLockerRecoveryKey783F5FF9-18D4-4C64-AD4A-CD3075CB8335.
txt:BitLockerDriveEncryptionRecoveryKeyTherecoverykeyisusedtorecoverthedataonaBitLockerprotecteddrive.
Toverifythatthisisthecorrectrecoverykeycomparetheidentificationwithwhatispresentedontherecoveryscreen.
Recoverykeyidentification:783F5FF9-18D4-4CFullrecoverykeyidentification:783F5FF9-18D4-4C64-AD4A-CD3075CB8335BitLockerRecoveryKey:528748-036938-506726-199056-621005-314512-037290-524293MicrosoftNetworkSecurityBitLockerRevieworImagingEntertherecoverykeyexactly.
MicrosoftNetworkSecurityBitLockerRevieworImagingViewedorimagedaspartofaphysicaldisk,BitLockervolumesappearencrypted.
MicrosoftNetworkSecurityBitLockerRevieworImagingToviewaBitLockervolumeasitappearsinitsunlockedstate,addressitasalogicalvolume.
MicrosoftNetworkSecurityBitLockerRevieworImagingMicrosoftNetworkSecurityFileSystemsFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityFileSystemsSinceVistaSP1,Formatwipeswhileitformats.
http://support.
microsoft.
com/kb/941961Diskpart.
exe>CleanallMicrosoftNetworkSecurityFileSystems-Vista&Windows7NTFS–Symboliclinkstofiles,folders,andUNCpaths.
Bewarethe"ApplicationData"recursionloop.
Cf.
Linkfiles.
–Hardlinksareextensivelyused(\Winsxs).
–Disabledbydefault:UpdateLastAccessDate.
–Enabledbydefault:TheNTFSChangeJournal($USN:$J).
TransactionalNTFS($Tops:$T).
MicrosoftNetworkSecurityFileSystems-Vista&Windows7ThevolumeheaderofanEXFATvolume.
DoyourforensicstoolsreadEXFATMicrosoftNetworkSecurityOSArtifactsFileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityOSArtifacts—Recycle.
Bin[Volume]:\$Recycle.
Bin–$Recycle.
BinisvisibleinExplorer(viewhiddenfiles).
–PeruserstoreinasubfoldernamedwithaccountSID.
–NomoreInfo2files.
–Whenafileisdeleted—movedtotheRecycleBin—itgeneratestwofilesintheRecycleBin.
–$Iand$Rfiles.
$Ior$Rfollowedbyseveralrandomcharacters,thenoriginalextension.
Therandomcharactersarethesameforeach$I/$Rpair.
$Ifilemaintainstheoriginalnameandpath,aswellasthedeleteddate.
$Rfileretainstheoriginalfiledatastreamandotherattributes.
Thenameattributeischangedto$R******.
ext.
MicrosoftNetworkSecurityOSArtifacts—Recycle.
BinNotethedeleteddate(inblue).
MicrosoftNetworkSecurityOSArtifacts—Recycle.
BinMicrosoftNetworkSecurityOSArtifacts—FolderVirtualization–PartofUserAccessControl—Standardusercannotwritetocertainprotectedfolders.
C:\WindowsC:\ProgramFilesC:\ProgramData–Toallowstandardusertofunction,anywritestoprotectedfoldersare"virtualized"andwrittentoC:\Users\[user]\AppData\Local\VirtualStoreMicrosoftNetworkSecurityOSArtifacts—RegistryVirtualizationVirtualize(HKEY_LOCAL_MACHINE\SOFTWARE)Non-administratorwritesareredirectto:HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Keysexcludedfromvirtualization–HKEY_LOCAL_MACHINE\Software\Classes–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows–HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNTMicrosoftNetworkSecurityOSArtifacts—RegistryVirtualizationLocationoftheregistryhivefilefortheVirtualStore–IsNOTtheuser'sNTUSER.
DAT–Itisstoredintheuser'sUsrClass.
dat\Users\[user]\AppData\Local\Microsoft\Windows\UsrClass.
datInvestigationofVista-Windows2008R2requirestheinvestigatortoexamineatleasttwoaccountspecificregistryhivefilesforeachuseraccount.
–NTUSER.
DAT–UsrClass.
datMicrosoftNetworkSecurityOSArtifacts—LibrariesMicrosoftNetworkSecurityOSArtifacts—Libraries\Users\[account]\AppData\Roaming\Microsoft\Windows\Libraries.
MicrosoftNetworkSecurityOSArtifacts—LibrariesLibrariesareXMLfiles.
MicrosoftNetworkSecurityOSArtifacts—LibrariesMicrosoftNetworkSecurityOSArtifacts—ShellThe"Recent"foldercontainslinkfilesandtwosubfoldersat\User\[Account]\AppData\Roaming\Microsoft\Windows\Recent.
MicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—Shell"AutomaticDestination"filesareintheStructuredStoragefileformat.
MicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—ShellMicrosoftNetworkSecurityOSArtifacts—ChkdskLogs\SystemVolumeInformation\ChkdskMicrosoftNetworkSecurityOSArtifacts—Superfetch\Windows\PrefetchMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeshadowcopiesarebitleveldifferentialbackupsofavolume.
–16KBblocks.
–Copyonwrite.
–VolumeShadowcopy"files"are"difference"files.
TheshadowcopyserviceisenabledbydefaultonVistaandWindows7,butnotonWindows2008or2008R2.
"Differencefiles"resideintheSystemVolumeInformationfolder.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyShadowcopiesarethesourcedataforRestorePointsandtheRestorePreviousVersionsfeatures.
Usedinbackupoperations.
Shadowcopiesprovidea"snapshot"ofavolumeataparticulartime.
Shadowcopiescanshowhowfileshavebeenaltered.
Shadowcopiescanretaindatathathaslaterbeendeleted,wiped,orencrypted.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeshadowcopiesdonotcontainacompleteimageofeverythingthatwasonthevolumeatthetimetheshadowcopywasmade.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyTheVolumeShadowCopydifferencefilesaremaintainedin"\SystemVolumeInformation"alongwithotherVSSdatafiles,includinganewregistryhive.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopy\SystemVolumeInformation\Syscache.
hveMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyvssadminlistshadows/for=[volume]:MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyMicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyShadowcopiescanbeexposedthroughsymboliclinks.
Mklink/dC:\{test-shadow}\\\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyVolumeShadowscanbemounteddirectlyasnetworkshares.
netsharetestshadow=\\.
\HarddiskVolumeShadowCopy11\MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopy>psexec\\[computername]vssadminlistshadows/for=C:>psexec\\[computername]netsharetestshadow=\\.
\HarddiskVolumeShadowCopy20\PsExecv1.
94-Executeprocessesremotely.
.
.
testshadowwassharedsuccessfully.
netexitedon[computername]witherrorcode0.
>robocopy/S/R:1/W:1/LOG:D:\VSStestcopylog.
txt\\[computername]\testshadowD:\vssTestLogFile:D:\VSStestcopylog.
txt.
.
.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyOtherwaystocallshadowcopies:–\\localhost\C$\Users\troyla\Downloads(Yesterday,July20,2009,12:00AM)–\\localhost\C$\@GMT-2009.
07.
17-08.
45.
26\–MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyC:\Users\Troyla\Desktop\fau-1.
3.
0.
2390a\fau\FAU.
x64>ddif=\\.
\HarddiskVolumeShadowCopy11of=E:\shadow11.
dd–localwrtTheVistaFirewallFirewallisactivewithexceptions.
Copying\\.
\HarddiskVolumeShadowCopy11toE:\shadow11.
ddOutput:E:\shadow11.
dd136256155648bytes129943+1recordsin129943+1recordsout136256155648byteswrittenSucceeded!
C:\Users\Troyla\Desktop\fau-1.
3.
0.
2390a\fau\FAU.
x64>Shadowcopiescanbeimaged.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyImagesofshadowcopiescanbeopenedinforensicstoolsandappearaslogicalvolumes.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyDatathathasbeendeletedcanbecapturedbyshadowcopiesandavailableforretrievalinshadowcopyimages.
MicrosoftNetworkSecurityOSArtifacts—VolumeShadowCopyEveryshadowcopydatasetshouldapproximatethesizeoftheoriginalvolume.
Amountofcasedata=(numberofshadowcopies)x(sizeofthevolume)+(sizeofthevolume).
10shadowcopies=692GBMicrosoftNetworkSecurityApplications—I.
E.
8FileSystemsNTFS,FAT32,EXFATFvevol.
sysMount,Partition&VolumeManagersApplications—e.
g.
,I.
E.
,etc.
OSArtifacts"Disk"MicrosoftNetworkSecurityApplications—I.
E.
8"C:\ProgramFiles(x86)\InternetExplorer\iexplore.
exe"-privateMicrosoftNetworkSecurityApplications—I.
E.
8Cachedataappearstobewritten,thendeleted.
MicrosoftNetworkSecurityApplications—I.
E.
8ResidualcachefilesfromInPrivatebrowsing.
MicrosoftNetworkSecurityApplications—I.
E.
8Tabandsessionrecovery—anewsourceforhistoricalbrowsinginformation.
\User\[Account]\AppData\Local\Microsoft\InternetExplorer\RecoveryMicrosoftNetworkSecurityApplications—I.
E.
8Recoveryfile:NotetheStructuredStoragefileformat.
MicrosoftNetworkSecurityApplications—I.
E.
8MicrosoftNetworkSecurity2009MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,WindowsVistaandotherproductnamesareormayberegisteredtrademarksand/ortrademarksintheU.
S.
and/orothercountries.
TheinformationhereinisforinformationalpurposesonlyandrepresentsthecurrentviewofMicrosoftCorporationasofthedateofthispresentation.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationprovidedafterthedateofthispresentation.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISPRESENTATION.
老薛主机,虽然是第一次分享这个商家的信息,但是这个商家实际上也有存在有一些年头。看到商家有在进行夏季促销,比如我们很多网友可能有需要的香港VPS主机季度及以上可以半价优惠,如果有在选择不同主机商的香港机房的可以看看老薛主机商家的香港VPS。如果没有记错的话,早年这个商家是主营个人网站虚拟主机业务的,还算不错在异常激烈的市场中生存到现在,应该算是在众多商家中早期积累到一定的用户群的,主打小众个人网站...
趣米云怎么样?趣米云是创建于2021年的国人IDC商家,虽然刚刚成立,但站长早期为3家IDC提供技术服务,已从业2年之久,目前主要从事出售香港vps、香港独立服务器、香港站群服务器等,目前在售VPS线路有三网CN2、CN2 GIA,该公司旗下产品均采用KVM虚拟化架构。由于内存资源大部分已售,而IP大量闲置,因此我们本月新增1c1g优惠套餐。点击进入:趣米云官方网站地址香港三网CN2云服务器机型活...
易探云服务器怎么过户/转让?易探云支持云服务器PUSH功能,该功能可将云服务器过户给指定用户。可带价PUSH,收到PUSH请求的用户在接收云服务器的同时,系统会扣除接收方的款项,同时扣除相关手续费,然后将款项打到发送方的账户下。易探云“PUSH服务器”的这一功能,可以让用户将闲置云服务器转让给更多需要购买的用户!易探云服务器怎么过户/PUSH?1.PUSH双方必须为认证用户:2.买家未接收前,卖家...
win7配置为你推荐
8080端口路由器要怎么设置才能使外网访问80;8080端口酒店回应名媛拼单名媛一天到晚都做什么?kaixin.com人人网和开心网互通,可我用的是kaixin001的开心,和kaixin*com不是一个呀!同ip网站查询我的两个网站在同一个IP下,没被百度收录,用同IP站点查询工具查询时也找不到我的网站,是何原因?javmoo.com找下载JAV软件格式的网站百度指数词百度指数为0的词 为啥排名没有www.6vhao.com有哪些电影网站partnersonline国外外贸平台有哪些?www.1diaocha.com哪个网站做调查问卷可以赚钱 啊彪言彪语( )言( )语的词语
国外免费域名网站 pccw unsplash 密码泄露 网站实时监控 大容量存储 phpmyadmin配置 hkt 鲁诺 电信主机 中国电信网络测速 畅行云 浙江服务器 lamp怎么读 免备案jsp空间 聚惠网 godaddy退款 web是什么意思 2016黑色星期五 web服务器有哪些 更多