Analyzing Volume Shadow Copies for Registry Settings
Unlike the way that Windows XP deals with restore points, Windows Vista and 7 greatly expanded the files that were tracked by the system restore process. Windows XP restore points used a file extension filter and typically only watched for changes in those files. When changes are detected under the appropriate circumstances, copies are made of those files and stored in the restore point folders. In Vista and beyond, the restore points use the VSS process that takes a snapshot of the whole volume. Every file that has changed from the last time a snapshot was taken gets captured in the volume shadow copy, and these shadow copies feed the restore point data. The volume snapshots still find their ...
Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.