Difference between revisions of "Windows Vista"

From ForensicsWiki
Jump to: navigation, search
(See Also)
(Prefetch)
(9 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
== File System ==  
 
== File System ==  
 
The file system used by Windows Vista is primarily [[NTFS]].
 
The file system used by Windows Vista is primarily [[NTFS]].
 +
 +
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:
 +
<pre>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem</pre>
 +
 +
Note that this feature has been around since as early as Windows 2000 [http://technet.microsoft.com/en-us/library/cc959914.aspx].
 +
 +
== [[Prefetch]] ==
 +
Note that the prefetch hash function is different then that of [[Windows XP]].
 +
 +
The [[Windows Prefetch File Format]] was changed to version 23.
 +
 +
== Registry ==
 +
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows Vista operating system.
  
 
== See Also ==
 
== See Also ==
Line 20: Line 33:
  
 
== External Links ==
 
== External Links ==
==== ReadyBoost ====
+
* [https://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf Windows Vista Network Attack Surface Analysis], James Hoagland, Matt Conover, Tim Newsham, Ollie Whitehouse
* [http://en.wikipedia.org/wiki/ReadyBoost Wikipedia: ReadyBoost]
+
* [http://windowsir.blogspot.ch/2013/04/plugin-emdmgmt.html Plugin: EMDMgmt], by [[Harlan Carvey]], April 05, 2013
+
* [http://hackingexposedcomputerforensicsblog.blogspot.ch/2013/08/daily-blog-65-understanding-artifacts.html Understanding the artifacts EMDMgmt], by [[David Cowen]], August 27, 2013
+
  
 
[[Category:Operating systems]]
 
[[Category:Operating systems]]

Revision as of 13:18, 20 October 2013

New Features

File System

The file system used by Windows Vista is primarily NTFS.

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Note that this feature has been around since as early as Windows 2000 [1].

Prefetch

Note that the prefetch hash function is different then that of Windows XP.

The Windows Prefetch File Format was changed to version 23.

Registry

The Windows Registry remains a central component of the Windows Vista operating system.

See Also

External Links