Difference between pages "Libpff" and "Windows Vista"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(libpff)
 
 
Line 1: Line 1:
{{Infobox_Software |
+
== New Features ==
  name = libpff |
+
* [[BitLocker Disk Encryption | BitLocker]]
  maintainer = [[Joachim Metz]], [[David Loveall]] |
+
* [[Windows Desktop Search | Search]] integrated in operating system
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
+
* [[ReadyBoost]]
  genre = {{Analysis}} |
+
* [[SuperFetch]]
  license = {{LGPL}} |
+
* [[NTFS|Transactional NTFS (TxF)]]
  website = [http://libpff.sourceforge.net libpff.sourceforge.net] |
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
}}
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
  
The '''libpff''' package contains [[Linux]] based library and applications to read PST, OST and PAB files.
+
== File System ==
It has been ported to other platforms like [[FreeBSD]] [[NetBSD]] [[OpenBSD]] [[Mac OS X]] and [[Windows]] as well.
+
The file system used by Windows Vista is primarily [[NTFS]].
  
== History ==
+
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:
 +
<pre>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem</pre>
  
Libpff was created by [[Joachim Metz]] in 2008, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
+
Note that this feature has been around since as early as Windows 2000 [http://technet.microsoft.com/en-us/library/cc959914.aspx].
  
Libpff is a rewrite of earlier work on the PST file format by the [http://www.five-ten-sg.com/libpst/ libpst project]. Libpff was updated to be a shared library and support the OST and PAB files.
+
== Prefetch ==
 +
Note that the prefetch hash function is different then that of [[Windows XP]] and [[Windows 2003]].
  
Currently libpff partially supports the data in PAB files.
+
== Registry ==
 +
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows Vista operating system.
  
== Tools ==  
+
== See Also ==
The '''libpff''' package contains the following tools:
+
* [[Windows]]
* '''pffexport''', which exports the items stored in PAB, PST and OST (PFF) files
+
* [[Windows 7]]
* '''pffinfo''', which shows information about PFF files.
+
* [[Windows 8]]
* '''pffrecover''', which exports recovered items stored in PAB, PST and OST (PFF) files
+
  
 
== External Links ==
 
== External Links ==
 +
* [https://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf Windows Vista Network Attack Surface Analysis], James Hoagland, Matt Conover, Tim Newsham, Ollie Whitehouse
  
* [http://libpff.sourceforge.net libpfff project site]
+
[[Category:Operating systems]]

Revision as of 13:14, 20 October 2013

New Features

File System

The file system used by Windows Vista is primarily NTFS.

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Note that this feature has been around since as early as Windows 2000 [1].

Prefetch

Note that the prefetch hash function is different then that of Windows XP and Windows 2003.

Registry

The Windows Registry remains a central component of the Windows Vista operating system.

See Also

External Links