Microsoft Windows Vista Forensics
Sergeant Daniel M. Purcell
Economic and Computer Crimes Unit
Seminole County Sheriff’s Office
Time: Tuesday, Nov. 13, 6 – 7:30 pm
Location: Rm. 102, National Center for Forensic Science in the Research Park (see directions at http://www.ncfs.org/directions.html)
Contact: Dr. Lang, 207 Harris Engineering Center, (407)823-2474
Abstract:
Microsoft’s newest operating system, Windows Vista, presents a new era of challenges for computer forensic examiners. Vista was released to the public in early 2007. With the introduction of new technologies and changes to existing operating system components, forensic examiners must understand the fundamental concepts of the operating system and how to identify and decode the on-disk or logical structures. Government and private training courses are beginning to evolve, but there is still much to learn about Windows Vista.
Currently, many computer forensic examiners are encountering digital media with Windows Vista installed and attempting to examine and analyze the data for criminal investigations. Without a full understanding of how the operating system or file system handles the data or specific functions, examiners may assert incorrect conclusions or explanations of a given artifact. In addition, examiners must be able to test and validate their forensic software tools to ensure the date is being interpreted in a proper manner. Understanding the operating system is paramount for a forensic examiner. Although it is impossible to know every aspect of the operating system, a good understand of the core components and “forensic artifacts” is extremely important.
This talk will address several components of the NTFS file system that are part of Windows Vista and various operating system components that have changed since the last versions of Microsoft’s operating system line, Windows XP or Windows Server 2003. Specifically, I will discuss the overall functionality and on-disk structure related to the NTFS file system, physical and logical structures, file slack, new features of NTFS, directory structure changes (default locations), Recycle Bin, Windows Mail (replacement for Outlook Express), thumbnail caching for folders, “Ready Boost”, paging file (virtual memory), link files, and print spooling. While there are numerous other features and artifacts in Windows Vista, the scope of this talk will be limited to the topics mentioned.
