tag:blogger.com,1999:blog-9518042.post2331969202611424650..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: Restore Point AnalysisUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-20197073855338537272007-06-18T23:43:00.000-05:002007-06-18T23:43:00.000-05:00Another interesting thing I've run across is that ...<I>Another interesting thing I've run across is that using an alternative method of analysis, such as mounting the acquired image... However, the problem occurs due to the fact that the ACLs on the System Volume Information directory require System level access for that system...</I><BR/><BR/>Solution: Mount the file system from an operating system which does not interpret NTFS application level access controls. :-)Coryhttps://www.blogger.com/profile/05367533723667525908noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-79684256747865156902007-06-17T09:53:00.000-05:002007-06-17T09:53:00.000-05:00I'm not sure I follow...XP doesn't back up entire ...<I>I'm not sure I follow...XP doesn't back up entire Registry hives.</I><BR/><BR/>Quite true. I believe that Vista, however, will back up blocks of changed data, so you will not find the typical registry hives, segregated historically.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-40922396763671648842007-06-17T07:35:00.000-05:002007-06-17T07:35:00.000-05:00Jimmy,...Vista will present a whole new ballgameYe...Jimmy,<BR/><BR/><I>...Vista will present a whole new ballgame</I><BR/><BR/>Yes, this is something we're all looking forward to! ;-)<BR/><BR/><I>Gone are the periodic backups of entire registry hives.</I><BR/><BR/>I'm not sure I follow...XP doesn't back up entire Registry hives. If you access the Restore Points, you'll see that the file sizes for the Registry files are different (ie, smaller) than what you find in the config directory.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53629913080037689312007-06-16T20:55:00.000-05:002007-06-16T20:55:00.000-05:00However, the problem occurs due to the fact that t...<I>However, the problem occurs due to the fact that the ACLs on the System Volume Information directory require System level access for that system . . .</I><BR/><BR/>Good point, Harlan. I've mentioned this before on other lists, but, without the correct permissions, you won't even be able to virus scan a mounted volume correctly. I suspect that a number of examiners simply run a scanner against a mounted volume, without realizing that their scanners are not evaluating the main user's Docs & Settings tree. The reason is becuase the examiner does not have premission to access the folders. The workaround for this is to take ownership of the entire tree, and this will work in MIP. However, you can't make yourself System or grant access to yourself over objects on the mounted volume. <BR/><BR/>Speaking of Restore Points, I just learned that Vista will present a whole new ballgame. Gone are the periodic backups of entire registry hives. As I recall, they're replaced by copies of updated blocks, similar, I think, to the shadow copies we will see. Also, the folder structure is changed.Anonymousnoreply@blogger.com