In my first blog post on Shadow Copy, I said that Previous Versions is available in the Ultimate, Business and Enterprise versions of Vista. This means that the feature is not available in Home and Home Premium versions. It is true, although there is a twist. You don't have the ability to access the Previous Versions of files in Home and Home Premium, but the Previous Versions are still being made. One of the students in my Computer Forensics class pointed out this article. The article says that if you upgrade from Home or Home Premium to Ultimate, Business or...

Vista is the first Windows consumer-oriented operating system to come with a versioning file system. This versioning is called Shadow Copy, although it is exposed to the user as Previous Versions. Shadow Copy is available in the Ultimate, Business and Enterprise versions of Vista, and is enabled by default on the primary volume. You need to enable it explicitly for external volumes. External volumes include other partitions as well as other hard drives. Shadow Copy will make a copy of an entire volume, called a Restore Point. You cannot create a Shadow Copy of an individual file. You can though...

Alternate Data Streams have been around since 1993, when they were introduced in NTFS on Windows NT 3.1.  They were introduced as a mechanism to store resource information separate from the actual file data.  This allows programs to associate metadata with the file without changing the actual file contents. It is also a simple and effective way of hiding information.  Most people are unaware of this feature, most likely due to it being an NTFS only feature under Windows.  Malicious software can use this feature to hide their files. Alternate Data Streams are amazingly simple to create.  This is an example using notepad. First,...