O'Reilly logo

Mastering Windows Network Forensics and Investigation, 2nd Edition by Scott Pearson, Ryan Johnson, Steve Bunting, Steven Anson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Analyzing Volume Shadow Copies for Registry Settings

Unlike the way that Windows XP deals with restore points, Windows Vista and 7 greatly expanded the files that were tracked by the system restore process. Windows XP restore points used a file extension filter and typically only watched for changes in those files. When changes are detected under the appropriate circumstances, copies are made of those files and stored in the restore point folders. In Vista and beyond, the restore points use the VSS process that takes a snapshot of the whole volume. Every file that has changed from the last time a snapshot was taken gets captured in the volume shadow copy, and these shadow copies feed the restore point data. The volume snapshots still find their ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required