1. 1 ::: Presentation title ::: August 22, 2007 HTCIA Conference San Diego, California August 29, 2007 Windows Vista What Has Changed

2. 2 ::: Presentation title ::: August 22, 2007 Can you guess the year?

3. 3 ::: Presentation title ::: August 22, 2007 Java was introduced?

4. 4 ::: Presentation title ::: August 22, 2007 Yahoo launched?

5. 5 ::: Presentation title ::: August 22, 2007 Star Trek Voyager?

6. 6 ::: Presentation title ::: August 22, 2007 19??

7. 7 ::: Presentation title ::: August 22, 2007 199?

8. 8 ::: Presentation title ::: August 22, 2007

9. 9 ::: Presentation title ::: August 22, 2007

10. 10 ::: Presentation title ::: August 22, 2007 Vista changes  Starting sector location  Default file and folder locations  Symbolic links  Time and date stamps  Transactional NTFS  Recycle Bin  ReadyBoost  BitLocker  Virtual Registry & Registry transaction logging  Event logs

11. 11 ::: Presentation title ::: August 22, 2007 Master boot record

12. 12 ::: Presentation title ::: August 22, 2007 Partition table Old location for VBR is sector 63 New location for VBR is sector 2048

13. 13 ::: Presentation title ::: August 22, 2007 Upgraded VBR

14. 14 ::: Presentation title ::: August 22, 2007 Vista default folder locations  In Windows 2000, XP & 2003, the Documents and Settings folder is where each user’s profile is stored along with all their personal documents  In Vista, C:\Users is now used

15. 15 ::: Presentation title ::: August 22, 2007 Vista default user data locations (C:\Users\...\)

16. 16 ::: Presentation title ::: August 22, 2007 Symbolic links  Windows Vista now supports classic Unix-type Symbolic links  C:\Documents and Settings is a symbolic link  Reparse point links C:\Documents and Settings to C:\Users

17. 17 ::: Presentation title ::: August 22, 2007 Last access date  The last access dates in Vista are not updated when a file is accessed  Registry named NtfsDisableLastAccessUpdate under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\C ontrol\FileSystem

18. 18 ::: Presentation title ::: August 22, 2007 Transactional NTFS  Transactional NTFS provides transaction logging to NTFS  Allows file system changes to be treated and logged as a “transaction”  NTFS commits the changes IF they are completed successfully  If not the changes are aborted and rolled back

19. 19 ::: Presentation title ::: August 22, 2007 Volume shadow copy and previous versions The block level changes that are saved by the “previous version” feature are stored in the System Volume Information folder as part of a restore point

20. 20 ::: Presentation title ::: August 22, 2007 Recycle Bin  The contents of the recycle bin has changed in Vista and the name of the folder itself has changed to”$Recycle.bin”  The INFO2 file in Windows 2000/XP/2003 has been removed  In Vista, two files are created when a file is deleted into the recycle bin—both have the same random looking name  A file with an “$R” at the beginning of the name = the data of the deleted file  A files with an “$I” at the beginning of the name = the path the file originally resided, as well as the date and time it was deleted

21. 21 ::: Presentation title ::: August 22, 2007 Recycle Bin

22. 22 ::: Presentation title ::: August 22, 2007 ReadyBoost  Allows a user to add virtual memory by using a removable flash drive  Data that is written to the removable flash disk is encrypted using AES-128 or 256 bit (depending on Group Policy) encryption before being written to the flash disk

23. 23 ::: Presentation title ::: August 22, 2007 Registry virtualization  Vista contains a feature called “registry virtualization” as part of a security enhancement  Any write attempt by a non administrator to the: HKEY_LOCAL_MACHINE\Software registry key(s) causes the system to redirect the write into a virtual store in the user’s profile:  HKEY_USERS\ _Classes\VirtualStore\Machine\Software http://msdn2.microsoft.com/en-us/library/aa965884.aspx

24. 24 ::: Presentation title ::: August 22, 2007 New Registry files  C:\Boot\BCD  C:\Windows\System32\config\RegBack\SECURITY  C:\Windows\System32\config\RegBack\SOFTWARE  C:\Windows\System32\config\RegBack\DEFAULT  C:\Windows\System32\config\RegBack\SAM  C:\Windows\System32\config\RegBack\COMPONENTS  C:\Windows\System32\config\RegBack\SYSTEM  C:\Windows\System32\config\BCD-Template  C:\Windows\System32\config\COMPONENTS  C:\Windows\System32\config\DEFAULT  C:\Windows\System32\config\SAM  C:\Windows\System32\config\SECURITY  C:\Windows\System32\config\SOFTWARE  C:\Windows\System32\config\SYSTEM  C:\Windows\winsxs\x86_microsoft-windows-b..-bcdtemplate- client_31bf3856ad364e35_6.0.6000.16386_none_25edb26a062d63a9\BCD- Template

25. 25 ::: Presentation title ::: August 22, 2007 Windows Event Logs Translate pre-Vista Event ID numbers to the new Vista event ID numbers by adding 4096

26. 26 ::: Presentation title ::: August 22, 2007 BitLocker  At the physical level, the volume will be encrypted  At the logical level, the BitLocker protected volume can be unlocked

27. 27 ::: Presentation title ::: August 22, 2007 Temporary Internet files  The C:\Users\AppData\Local folder contains three additional Junctions  This folder structure is where the Internet history information is now stored

28. 28 ::: Presentation title ::: August 22, 2007 Questions?

29. 29 ::: Presentation title ::: August 22, 2007 Contact information Rich Russell Forensa 22525 SE 64th Place, Suite 205 Issaquah, WA 98027 www.forensa.com www.forensa.com 877.367.3671 rich@forensa.com rich@forensa.com

30. 30 ::: Presentation title ::: August 22, 2007 ADS exposed!