We could find some important clue in Restore Point because "System Protection" of volume C is enabled in Windows default settings. Lots of data in "My Documents", "Desktop", and "Favorotes". Further more lots of Windows artifacts exists in volume C, and forensic guys understand the importance of Restore Point. But Win10 is different from Win7/8 in this feature. "System Protection" becomes disabled in Win10  default settings. That means there is no any Restore Point unless you enable that feature manually.

Everybody knows that user couldn't care less whether "System Protection" is enabled or not. But to forensic guys this feature default enabled is very important. Now I turn it on and show you how to take advantage of this feature.

With this feature on system will create Restore Point automatically. Of course we could create Restore Point manually. Let me show you how to discover how many Restore Point in volume C.

As you could see there is one Restore Point in volume C. We could use vss.exe to mount this Restore Point.

The driver letter I use is "S". But where is "S:"??? I could not see this volume S in my computer??? All you have to do is to use forensic tool like FTK Imager to look for volume S.

So volume S is the shadow of volume C. That means we got the chance to find the original content of data being modified or removed recently. Now this feature "System Protection" is disabled in default. I wonder why Microsoft change this feature. Is there any thing we could do to solve this issue? My suggestion is that IT administrators should use group policy to enable this feature so as to perserve and protect digital evidence.

---恢复内容结束---

"System Protection" is disabled in Win10 default settings的更多相关文章

  1. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  2. 【SecureCRT配置】修改默认卷屏行数当做一个操作,屏幕输出有上百行,当需要将屏幕回翻时,这个设置会有很大帮助,默认为500行,可以改为10000行,不用担心找不到了。 选项 => 全局选项 => Default Session => Edit Default Settings => Terminal => Emulation => Scrollback 修改为32000。

    SecureCRT配置屏幕内容输出到log文件 SecureCRT看不到前几分钟操作的内容,或者想把通过vi命令查看的日志输出到log文件(在懒得下载日志文件的情况下),所以接下来就这样操作: 文件保 ...

  3. IntelliJ IDEA default settings 全局默认设置

    可以通过以下两个位置设置IDEA的全局默认设置: 以后诸如默认的maven配置就不需要每次都重复配置了?

  4. 解决sublime3不能编辑插件default settings的问题

    一.遇见问题 今天给sublime安装了View In Browser,想更改一下默认启动的浏览器 preferences-Package settings-View In Browser-setti ...

  5. ovirt user guide

    Contents [hide]  1 ⁠Accessing the User Portal 1.1 Logging in to the User Portal 1.2 Logging out of t ...

  6. [转载]Getting Started with ASP.NET vNext and Visual Studio 14

    说在转载之前的话:ASP.NET框架之前不断做大,而vNext则是从头开始,对ASP.NET框架进行拆分并瘦身,面对不同的需求而更加灵活,各个拆分出来的模块更加轻量.vNext的出现,对ASP.NET ...

  7. Subline Text默认设置文件Preferences.sublime-settings—Default详解

    Subline Text中,点击Preferences,选择Settings - Default 全部属性解析 // While you can edit this file, it's best t ...

  8. PHP 在WIN10 下配置

    apache: https://www.apachehaus.com/ php: https://windows.php.net/ https://windows.php.net/ 集成安装配置版:h ...

  9. win10改win7如何设置bios教程

    情况一: 我们按del键(百度自己电脑.主板如何进入bios)进入主板bios后,我们通过键盘将选项移动到 Authentication 菜单(bios界面各不相同,可能不在此项,找到对应 secur ...

随机推荐

  1. Android开发中的输入合法性检验

    Why ? 合法性检查对于程序的健壮性具有重要作用.在Android开发中,良好的合法性检查设计机制可以使程序更加清晰,产生bug更少,交互更加友好. What ? 合法性检查的目的在于确定边界.对于 ...

  2. hdu 1010 深搜+剪枝

    深度搜索 剪枝 还不是很理解 贴上众神代码 //http://blog.csdn.net/vsooda/article/details/7884772#include<iostream> ...

  3. Hibernate3 和Hibernate4 在配置文件上的区别

    在使用hibernate之前要首先对hibernate进行一些基础的配置信息,像映射文件XXX.hbm.xml  XXX代表当前的domain的模型类名 <?xml version=" ...

  4. TOMCAT 无法安装P7B格式的证书

    背景:通过按以下链接的方式生成了CSR文件,并申请到P7B格式的证书 现象:TOMCAT安装该证书时,要求输入Keystore key, 但是P7B证书自身并不携带私钥.导致无法通过TOMCAT安装该 ...

  5. SQLSERVER系统视图,系统表,sys.sql_modules视图

    SQLServer中提供了相当丰富的系统视图,能够从宏观到微观,从静态到动态反应数据库对象的存储结果.系统性能.系统等待事件等等.同时 也保留了与早期版本兼容性的视图,主要差别在于SQLServer2 ...

  6. 从头开始db-oracle

    rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpmrpm -ivh http: ...

  7. mybatis与 Exception

    mybatis将所有的异常全部包成了运行时异常,减少在高层代码中频繁的try-catch导致的代码臃肿问题.Persistence是它们共有的父类,继承自RuntimeException非检查型异常. ...

  8. Linux LVM硬盘管理之二:创建逻辑卷步骤

    创建逻辑卷(LV)的顺序:Linux分区---物理卷(PV)---卷组(VG)---逻辑卷(LV)---挂载到文件系统 删除逻辑卷(LV)的顺序:卸载文件系统----逻辑卷(LV)---卷组(VG)- ...

  9. ETL利器Kettle实战应用解析系列二 【应用场景和实战DEMO下载】

    本文主要阅读目录如下: 1.应用场景 2.DEMO实战 3.DEMO下载 1.应用场景 这里简单概括一下几种具体的应用场景,按网络环境划分主要包括: 表视图模式:这种情况我们经常遇到,就是在同一网络环 ...

  10. api接口签名验证

    由于http是无状态的,所以正常情况下在浏览器浏览网页,服务器都是通过访问者的cookie(cookie中存储的jsessionid)来辨别客户端的身份的,当客户端进行登录服务器也会将登录信息存放在服 ...