We could find some important clue in Restore Point because "System Protection" of volume C is enabled in Windows default settings. Lots of data in "My Documents", "Desktop", and "Favorotes". Further more lots of Windows artifacts exists in volume C, and forensic guys understand the importance of Restore Point. But Win10 is different from Win7/8 in this feature. "System Protection" becomes disabled in Win10  default settings. That means there is no any Restore Point unless you enable that feature manually.

Everybody knows that user couldn't care less whether "System Protection" is enabled or not. But to forensic guys this feature default enabled is very important. Now I turn it on and show you how to take advantage of this feature.

With this feature on system will create Restore Point automatically. Of course we could create Restore Point manually. Let me show you how to discover how many Restore Point in volume C.

As you could see there is one Restore Point in volume C. We could use vss.exe to mount this Restore Point.

The driver letter I use is "S". But where is "S:"??? I could not see this volume S in my computer??? All you have to do is to use forensic tool like FTK Imager to look for volume S.

So volume S is the shadow of volume C. That means we got the chance to find the original content of data being modified or removed recently. Now this feature "System Protection" is disabled in default. I wonder why Microsoft change this feature. Is there any thing we could do to solve this issue? My suggestion is that IT administrators should use group policy to enable this feature so as to perserve and protect digital evidence.

---恢复内容结束---

"System Protection" is disabled in Win10 default settings的更多相关文章

  1. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  2. 【SecureCRT配置】修改默认卷屏行数当做一个操作,屏幕输出有上百行,当需要将屏幕回翻时,这个设置会有很大帮助,默认为500行,可以改为10000行,不用担心找不到了。 选项 => 全局选项 => Default Session => Edit Default Settings => Terminal => Emulation => Scrollback 修改为32000。

    SecureCRT配置屏幕内容输出到log文件 SecureCRT看不到前几分钟操作的内容,或者想把通过vi命令查看的日志输出到log文件(在懒得下载日志文件的情况下),所以接下来就这样操作: 文件保 ...

  3. IntelliJ IDEA default settings 全局默认设置

    可以通过以下两个位置设置IDEA的全局默认设置: 以后诸如默认的maven配置就不需要每次都重复配置了?

  4. 解决sublime3不能编辑插件default settings的问题

    一.遇见问题 今天给sublime安装了View In Browser,想更改一下默认启动的浏览器 preferences-Package settings-View In Browser-setti ...

  5. ovirt user guide

    Contents [hide]  1 ⁠Accessing the User Portal 1.1 Logging in to the User Portal 1.2 Logging out of t ...

  6. [转载]Getting Started with ASP.NET vNext and Visual Studio 14

    说在转载之前的话:ASP.NET框架之前不断做大,而vNext则是从头开始,对ASP.NET框架进行拆分并瘦身,面对不同的需求而更加灵活,各个拆分出来的模块更加轻量.vNext的出现,对ASP.NET ...

  7. Subline Text默认设置文件Preferences.sublime-settings—Default详解

    Subline Text中,点击Preferences,选择Settings - Default 全部属性解析 // While you can edit this file, it's best t ...

  8. PHP 在WIN10 下配置

    apache: https://www.apachehaus.com/ php: https://windows.php.net/ https://windows.php.net/ 集成安装配置版:h ...

  9. win10改win7如何设置bios教程

    情况一: 我们按del键(百度自己电脑.主板如何进入bios)进入主板bios后,我们通过键盘将选项移动到 Authentication 菜单(bios界面各不相同,可能不在此项,找到对应 secur ...

随机推荐

  1. 关于javascript中闭包的理解

    闭包就是能够读取其他函数内部变量的函数. 在javascript中,只有函数内部的子函数可以读取局部变量,因此,我理解闭包就是定义在一个函数内部的函数. 例子: var f1 = function() ...

  2. eclipse android sdk content loader一直显示0%的问题解决

    今天上班启动eclipse,发现eclipse 一直卡在android sdk content loader的地方,一直显示为0%.百度后发现很多都是一下解决方法:  关闭Eclipse,删掉Ecli ...

  3. jsp静态、动态引入其他jsp

    1. <%@ include file="page.jsp"%> /*静态引入,内容必须写成固定值*/    在servlet容器转化jsp为servlet时,将引入的 ...

  4. 64位系统里的IIS运行32位ODP.NET的方法

    在64位Win7里的IIS里部署使用了ODP.NET的网站,Oracle的版本是11.20.3.20.直接部署会提示错误:在64位环境里使用了32位的程序.自己折腾了两天,最后才从别人的博客里找到解决 ...

  5. 迭代器模式(Iterator Pattern)

    迭代器模式(Iterator),提供一种方法顺序访问一个聚合对象中的各种元素,而又不暴露该对象的内部表示. 迭代器模式(Iterator)就是分离了聚合对象的遍历行为,抽象出一个迭代器来负责这样既可以 ...

  6. 获取字符串中img标签的url集合(转载)

    /// <summary> /// 获取字符串中img的url集合 /// </summary> /// <param name="content"& ...

  7. 读取DBF文件数据

    #region 返回DBF表 public static System.Data.DataTable getDTFromDBF(string fullPath) { string pDir = Sys ...

  8. jQuery EasyUI:根据数据库内容生成适合于easyui-tree的JSON数据格式

    1,jQuery EasyUI中easyui-tree特定的JSON数据格式 [ {"id":1,"text":"某公司","ch ...

  9. LeetCode "Largest Divisible Subset" !

    Very nice DP problem. The key fact of a mutual-divisible subset: if a new number n, is divisible wit ...

  10. 微信开发之移动手机WEB页面(HTML5)Javascript实现一键拨号及短信发送功能

    在做一个微信的微网站中的一个便民服务电话功能的应用,用到移动web页面中列出的电话号码,点击需要实现调用通讯录,网页一键拨号的拨打电话功能. 如果需要在移动浏览器中实现拨打电话,发送email,美国服 ...