We could find some important clue in Restore Point because "System Protection" of volume C is enabled in Windows default settings. Lots of data in "My Documents", "Desktop", and "Favorotes". Further more lots of Windows artifacts exists in volume C, and forensic guys understand the importance of Restore Point. But Win10 is different from Win7/8 in this feature. "System Protection" becomes disabled in Win10 default settings. That means there is no any Restore Point unless you enable that feature manually.
Everybody knows that user couldn't care less whether "System Protection" is enabled or not. But to forensic guys this feature default enabled is very important. Now I turn it on and show you how to take advantage of this feature.
With this feature on system will create Restore Point automatically. Of course we could create Restore Point manually. Let me show you how to discover how many Restore Point in volume C.
As you could see there is one Restore Point in volume C. We could use vss.exe to mount this Restore Point.
The driver letter I use is "S". But where is "S:"??? I could not see this volume S in my computer??? All you have to do is to use forensic tool like FTK Imager to look for volume S.
So volume S is the shadow of volume C. That means we got the chance to find the original content of data being modified or removed recently. Now this feature "System Protection" is disabled in default. I wonder why Microsoft change this feature. Is there any thing we could do to solve this issue? My suggestion is that IT administrators should use group policy to enable this feature so as to perserve and protect digital evidence.
---恢复内容结束---