Feed back and questions are welcomed. I will be updating this with my final research thesis, and slides as new information and understand comes about.
Thank you..
Overview:
Windows 8 introduces two new options for system recovery,
these options are: Refresh Points and System Recovery. Within Refresh Point
there are two options; you can utilize the default refresh point or a custom
refresh point.
Both Refresh options can be utilized by Windows 8 to remove
malicious files and corrupted entries into the operating system. When using
Refresh it is important to understand that the operating system creates a
Recovery Image that makes a backup of the Windows System Files. For the default
recover these Windows System Files are from when Windows 8 was first installed.
When the Custom Refresh option is used than the Windows System Files are from
the date that the Custom Refresh was created, the Custom Refresh also will
contain the desktop applications that you have installed. Refresh Images DO NOT contain your Metro-style apps,
documents, personal settings or user profiles, this is because that information
is preserved at the time you refresh your PC.
The System Recover option in Windows 8 will return the
Operating system back to the factory default. While using the System Recover
there will be options on Using Recover with Multiple Drives, and how personal
files are removed.
Initial work can be found here: http://randomthoughtsofforensics.blogspot.com/2011/12/windows-8-forensic-overview.html
nice idea.. thanks for sharing.
ReplyDelete