Transcript Document
Windows Vista What Has Changed HTCIA Conference San Diego, California August 29, 2007 1 ::: Presentation title ::: August 22, 2007 Can you guess the year? 2 ::: Presentation title ::: August 22, 2007 Java was introduced? 3 ::: Presentation title ::: August 22, 2007 Yahoo launched? 4 ::: Presentation title ::: August 22, 2007 Star Trek Voyager? 5 ::: Presentation title ::: August 22, 2007 19?? 6 ::: Presentation title ::: August 22, 2007 199? 7 ::: Presentation title ::: August 22, 2007 8 ::: Presentation title ::: August 22, 2007 9 ::: Presentation title ::: August 22, 2007 Vista changes Starting sector location Default file and folder locations Symbolic links Time and date stamps Transactional NTFS Recycle Bin ReadyBoost BitLocker Virtual Registry & Registry transaction logging Event logs 10 ::: Presentation title ::: August 22, 2007 Master boot record 11 ::: Presentation title ::: August 22, 2007 Partition table Old location for VBR is sector 63 New location for VBR is sector 2048 12 ::: Presentation title ::: August 22, 2007 Upgraded VBR 13 ::: Presentation title ::: August 22, 2007 Vista default folder locations 14 ::: Presentation title ::: August 22, 2007 In Windows 2000, XP & 2003, the Documents and Settings folder is where each user’s profile is stored along with all their personal documents In Vista, C:\Users is now used Vista default user data locations (C:\Users\...\) 15 ::: Presentation title ::: August 22, 2007 Symbolic links Windows Vista now supports classic Unix-type Symbolic links C:\Documents and Settings is a symbolic link Reparse point links C:\Documents and Settings to C:\Users 16 ::: Presentation title ::: August 22, 2007 Last access date The last access dates in Vista are not updated when a file is accessed Registry named NtfsDisableLastAccessUpdate under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\C ontrol\FileSystem 17 ::: Presentation title ::: August 22, 2007 Transactional NTFS Transactional NTFS provides transaction logging to NTFS Allows file system changes to be treated and logged as a “transaction” NTFS commits the changes IF they are completed successfully If not the changes are aborted and rolled back 18 ::: Presentation title ::: August 22, 2007 Volume shadow copy and previous versions The block level changes that are saved by the “previous version” feature are stored in the System Volume Information folder as part of a restore point 19 ::: Presentation title ::: August 22, 2007 Recycle Bin The contents of the recycle bin has changed in Vista and the name of the folder itself has changed to”$Recycle.bin” The INFO2 file in Windows 2000/XP/2003 has been removed In Vista, two files are created when a file is deleted into the recycle bin—both have the same random looking name A file with an “$R” at the beginning of the name = the data of the deleted file A files with an “$I” at the beginning of the name = the path the file originally resided, as well as the date and time it was deleted 20 ::: Presentation title ::: August 22, 2007 Recycle Bin 21 ::: Presentation title ::: August 22, 2007 ReadyBoost 22 ::: Presentation title ::: August 22, 2007 Allows a user to add virtual memory by using a removable flash drive Data that is written to the removable flash disk is encrypted using AES-128 or 256 bit (depending on Group Policy) encryption before being written to the flash disk Registry virtualization Vista contains a feature called “registry virtualization” as part of a security enhancement Any write attempt by a non administrator to the: HKEY_LOCAL_MACHINE\Software registry key(s) causes the system to redirect the write into a virtual store in the user’s profile: HKEY_USERS\<User SID>_Classes\VirtualStore\Machine\Software http://msdn2.microsoft.com/en-us/library/aa965884.aspx 23 ::: Presentation title ::: August 22, 2007 New Registry files C:\Boot\BCD C:\Windows\System32\config\RegBack\SECURITY C:\Windows\System32\config\RegBack\SOFTWARE C:\Windows\System32\config\RegBack\DEFAULT C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\COMPONENTS C:\Windows\System32\config\RegBack\SYSTEM C:\Windows\System32\config\BCD-Template C:\Windows\System32\config\COMPONENTS C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\SAM C:\Windows\System32\config\SECURITY C:\Windows\System32\config\SOFTWARE C:\Windows\System32\config\SYSTEM C:\Windows\winsxs\x86_microsoft-windows-b..-bcdtemplateclient_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCDTemplate 24 ::: Presentation title ::: August 22, 2007 Windows Event Logs Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096 25 ::: Presentation title ::: August 22, 2007 BitLocker At the physical level, the volume will be encrypted At the logical level, the BitLocker protected volume can be unlocked 26 ::: Presentation title ::: August 22, 2007 Temporary Internet files 27 ::: Presentation title ::: August 22, 2007 The C:\Users\AppData\Local folder contains three additional Junctions This folder structure is where the Internet history information is now stored Questions? 28 ::: Presentation title ::: August 22, 2007 Contact information Rich Russell Forensa 22525 SE 64th Place, Suite 205 Issaquah, WA 98027 www.forensa.com 877.367.3671 [email protected] 29 ::: Presentation title ::: August 22, 2007 ADS exposed! 30 ::: Presentation title ::: August 22, 2007