9.5. Task 9.5: Recovering Previous Versions of Files
Very often, when a system has been compromised, or when you find unacceptable use of a system, the attacker attempts to cover their tracks by deleting the incriminating evidence, either content within a file or the file itself. It is possible to recover this deleted content using a tool that was introduced with Windows Server 2003 and XP. It is called Volume Shadow Copy (the backup portion) and Previous Versions (the recovery portion).
Volume Shadow Copy (VSC) is available only on Server 2008 and Server 2003. Server 2008 servers, Server 2003 servers, and all Microsoft clients (including NT 4, 9x, ME, Windows 2000, XP, and Windows Vista) can recover previous versions of the files from servers. ...
Get Security Administrator Street Smarts: A Real World Guide to CompTIA Security+™ Skills, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
