Table 7.3  HKEY Functions HKEY

87
 
System volume information folders
system needs more RAM than is available, some of it can be written to a page file 
before being released and freeing physical memory. When the information in the 
page file is required by a running process, it is retrieved back into memory from the 
file. Since the file contains data which has been held in RAM, it can be an invalu-
able source of evidence for the examiner, e.g., contraband images, passwords, digital 
signatures, and so forth. All of the previously mentioned forensic tools, e.g., Encase, 
FTK and Autopsy are capable of carving the 
pagefil.sys
file to allow viewing and 
extracting of evidence from it.
SYSTEM VOLUME INFORMATION FOLDERS
Operating systems from XP onwards have a feature call system restore. System re-
store holds a “snapshot” of the state of important operating system e.g., Windows, 
files on a hard drive at any given time. If something goes wrong with the PC, a 
failed installation of some software for instance, which causes the PC to become 
inoperable or unstable, it can be “rolled back,” that is to say restored to this snap 
shot. The previous versions of the files would be recovered and the PC should be-
come functional again. The native default behavior is that these snapshots are cre-
ated on Windows 7 once a week and at the start of a software installation process. 
Alternatively they can be set manually. System restore has a fixed amount of space 
which is used for storing the restore points and will save as many as it can into 
that space on a round robin basis, with the oldest restore points being overwritten 
with the latest ones. The amount of space is configurable, but is 15% as a default 
in Windows Vista and 7.
From a forensic perspective these snapshots may contain copies of files which 
have subsequently been deleted or modified. Of significance when considering 
this is that copies of files which have become encrypted may still exist in sys-
tem volume information folders in an unencrypted state. Thus, while it is often 
infeasible to decrypt certain files, it may be possible to find a copy of them unen-
crypted in the system volume information folders. The snapshots include backups 
of the registry, Windows system files (in the 
\Windows
folder) and the local us-
ers profile. The users profile contains artifacts including any files stored in the 
“My Documents” area, application settings, internet favorites, the user’s desktop 
(including any files saved to it), internet cookies, links to shared folders, and the 
recycle bin. The later can be particularly lucrative as the suspect may have emp-
tied the live system’s recycle bin yet be unaware that the files are still captured in 
recycle bin in the system volume information folders. System volume information 
folders sit on the root of the hard drive within a folder named “System Volume 
Information.” Within this folder a separate volume copy set exists for each of the 
restore points created. Many forensic tools are capable of parsing the informa-
tion in system volume information folders natively. Alternatively, the folders can 
be mounted as drives manually. The process for doing this is well recognized, 
with a step-by-step procedure documented in Microsoft’s knowledge base article 

Download 5,67 Mb.

Do'stlaringiz bilan baham: