We could find some important clue in Restore Point because "System Protection" of volume C is enabled in Windows default settings. Lots of data in "My Documents", "Desktop", and "Favorotes". Further more lots of Windows artifacts exists in volume C, and forensic guys understand the importance of Restore Point. But Win10 is different from Win7/8 in this feature. "System Protection" becomes disabled in Win10  default settings. That means there is no any Restore Point unless you enable that feature manually.

Everybody knows that user couldn't care less whether "System Protection" is enabled or not. But to forensic guys this feature default enabled is very important. Now I turn it on and show you how to take advantage of this feature.

With this feature on system will create Restore Point automatically. Of course we could create Restore Point manually. Let me show you how to discover how many Restore Point in volume C.

As you could see there is one Restore Point in volume C. We could use vss.exe to mount this Restore Point.

The driver letter I use is "S". But where is "S:"??? I could not see this volume S in my computer??? All you have to do is to use forensic tool like FTK Imager to look for volume S.

So volume S is the shadow of volume C. That means we got the chance to find the original content of data being modified or removed recently. Now this feature "System Protection" is disabled in default. I wonder why Microsoft change this feature. Is there any thing we could do to solve this issue? My suggestion is that IT administrators should use group policy to enable this feature so as to perserve and protect digital evidence.

---恢复内容结束---

"System Protection" is disabled in Win10 default settings的更多相关文章

  1. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  2. 【SecureCRT配置】修改默认卷屏行数当做一个操作,屏幕输出有上百行,当需要将屏幕回翻时,这个设置会有很大帮助,默认为500行,可以改为10000行,不用担心找不到了。 选项 => 全局选项 => Default Session => Edit Default Settings => Terminal => Emulation => Scrollback 修改为32000。

    SecureCRT配置屏幕内容输出到log文件 SecureCRT看不到前几分钟操作的内容,或者想把通过vi命令查看的日志输出到log文件(在懒得下载日志文件的情况下),所以接下来就这样操作: 文件保 ...

  3. IntelliJ IDEA default settings 全局默认设置

    可以通过以下两个位置设置IDEA的全局默认设置: 以后诸如默认的maven配置就不需要每次都重复配置了?

  4. 解决sublime3不能编辑插件default settings的问题

    一.遇见问题 今天给sublime安装了View In Browser,想更改一下默认启动的浏览器 preferences-Package settings-View In Browser-setti ...

  5. ovirt user guide

    Contents [hide]  1 ⁠Accessing the User Portal 1.1 Logging in to the User Portal 1.2 Logging out of t ...

  6. [转载]Getting Started with ASP.NET vNext and Visual Studio 14

    说在转载之前的话:ASP.NET框架之前不断做大,而vNext则是从头开始,对ASP.NET框架进行拆分并瘦身,面对不同的需求而更加灵活,各个拆分出来的模块更加轻量.vNext的出现,对ASP.NET ...

  7. Subline Text默认设置文件Preferences.sublime-settings—Default详解

    Subline Text中,点击Preferences,选择Settings - Default 全部属性解析 // While you can edit this file, it's best t ...

  8. PHP 在WIN10 下配置

    apache: https://www.apachehaus.com/ php: https://windows.php.net/ https://windows.php.net/ 集成安装配置版:h ...

  9. win10改win7如何设置bios教程

    情况一: 我们按del键(百度自己电脑.主板如何进入bios)进入主板bios后,我们通过键盘将选项移动到 Authentication 菜单(bios界面各不相同,可能不在此项,找到对应 secur ...

随机推荐

  1. [转]iOS代码块Block

    代码块Block是苹果在iOS4开始引入的对C语言的扩展,用来实现匿名函数的特性,Block是一种特殊的数据类型,其可以正常定义变量.作为参数.作为返回值,特殊地,Block还可以保存一段代码,在需要 ...

  2. POI2012

    现在才开始写 POI 是不是太弱了? -Rendezvous 怎么说呢,我发现我的代码好长啊-长啊-长啊-长长长长长长长长长长长长长长长长长长长长长长啊- 大概就是在一个内向树上搞一个类似 lca 的 ...

  3. (转)Image Segmentation with Tensorflow using CNNs and Conditional Random Fields

    Daniil's blog Machine Learning and Computer Vision artisan. About/ Blog/ Image Segmentation with Ten ...

  4. JDK、JRE、JVM

    首先来说一下JDKJDK(Java Development Kit) 是 Java 语言的软件开发工具包(SDK).JDK是整个JAVA的核心,包括了Java运行环境(Java Runtime Env ...

  5. JS转换HTML转义符

    JS转换HTML转义符 //去掉html标签 function removeHtmlTab(tab) { return tab.replace(/<[^<>]+?>/g,'') ...

  6. Mapcontrol 遍历所有图层方法

    mapcontrol 遍历所有图层方法 2011-04-29 19:51 通过IMap中的get_layers()可以遍历MapControl中当前的图层.此方法可以通过指定UID对图层进行过滤或者分 ...

  7. ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'type=InnoDB' at line 7

    问题: 使用hibernate4.1.1,数据库使用mysql5.1.30,使用hibernate自动生成数据库表时,hibernate方言使用org.hibernate.dialect.MySQLI ...

  8. R语言-实用数据对象处理函数

    length(object) 显示对象中元素/成分的数量 dim(object) 显示某个对象的维度 str(object) 显示某个对象的结构 class(object) 显示某个对象的类或类型 m ...

  9. 数据库schema设计与优化

    原文地址 1. 前言 对于数据库而言,在日常开发中我们主要的关注点有两块,一个是schema的结构设计,另一个就是索引的优化,这两块是影响我们最终系统结构和性能的关键部分,自然也是我们花费精力最多的部 ...

  10. Python基础(二)之元组及字典

    元组:以一对小括号表示,不可以增删改,只可查看. 字典:以一对大括号表示,字典中含key及value,字典是无序的. 下面介绍字典和元组的一些常见操作: 一.元组 a = ('haha','xixi' ...