87
System volume information folders
system needs more RAM than is available, some of it can be written to a page file
before being released and freeing physical memory. When the information in the
page file is required by a running process, it is retrieved back into memory from the
file. Since the file contains data which has been held in RAM, it can be an invalu-
able source
of evidence for the examiner, e.g., contraband images, passwords, digital
signatures, and so forth. All of the previously mentioned forensic tools, e.g., Encase,
FTK and Autopsy are capable of carving the
pagefil.sys
file to allow viewing and
extracting of evidence from it.
SYSTEM VOLUME INFORMATION FOLDERS
Operating systems from XP onwards have a feature call system restore. System re-
store holds a “snapshot” of the state of important operating system e.g., Windows,
files on a hard drive at any given time. If something goes wrong with the PC, a
failed installation of some software for instance, which causes the PC to become
inoperable or unstable, it can be “rolled back,” that is to say restored to this snap
shot. The previous versions of the files would be recovered and the PC should be-
come functional again. The native default behavior is that these snapshots are cre-
ated on Windows 7 once a week and at the start of a software installation process.
Alternatively they can be set manually. System restore
has a fixed amount of space
which is used for storing the restore points and will save as many as it can into
that space on a round robin basis, with the oldest restore points being overwritten
with the latest ones. The amount of space is configurable, but is 15% as a default
in Windows Vista and 7.
From a forensic perspective these snapshots may contain copies of files which
have subsequently been deleted or modified. Of significance when considering
this is that copies of files which have become encrypted
may still exist in sys-
tem volume information folders in an unencrypted state. Thus, while it is often
infeasible to decrypt certain files, it may be possible to find a copy of them unen-
crypted in the system volume information folders. The snapshots include backups
of the registry, Windows system files (in the
\Windows
folder) and the local us-
ers profile. The users profile contains artifacts including
any files stored in the
“My Documents” area, application settings, internet favorites, the user’s desktop
(including any files saved to it), internet cookies, links to shared folders, and the
recycle bin. The later can be particularly lucrative
as the suspect may have emp-
tied the live system’s recycle bin yet be unaware that the files are still captured in
recycle bin in the system volume information folders. System volume information
folders sit on the root of the hard drive within a folder named “System Volume
Information.” Within this folder a separate volume copy set exists for each of the
restore points created. Many forensic tools are capable of parsing the informa-
tion in system volume information folders natively. Alternatively,
the folders can
be mounted as drives manually. The process for doing this is well recognized,
with a step-by-step procedure documented in Microsoft’s knowledge base article