Determining VHD s in Windows 7 Dustin Hurlbut
|
|
- Grant Cook
- 8 years ago
- Views:
Transcription
1 Introduction Windows 7 has the ability to create and mount virtual machines based upon launching a single file. The Virtual Hard Disk (VHD) format permits creation of virtual drives that can be used for data storage, backup, and testing. A user can place large amounts of data in a virtual drive and then copy the representative unmounted file to any other computer. It appears most of the Windows 7 versions support the creation of VHDs. The file that stores the VHD is stored with a.vhd extension. Besides being able to create and attach virtual drives in the Manage utility, Windows 7 Ultimate, Enterprise and Server 2008 R2 can also boot to a virtual drive. Microsoft also has a standalone version available. The obvious forensic issues would be the use of virtual drives by suspects to store incriminating data. Mounted drives can be used to store and backup data, and once detached will look like a large file with the contents being visible only by remounting or use of forensics tools to view them. It s nifty way to hide things from another user. Data is carveable and keywords visible in an unprotected.vhd. It would be easy for a user to create a virtual drive, mount it, place the data in it while it is mounted, and once unmounted, change the name of the file s extension from VHD to some other extension or just hide the VHD in some area not likely to be noted by a casual user. Once unmounted, the.vhd file can be copied and opened on any other system that supports the format. Other options include the ability to nest a.vhd inside of another. The user can mount a virtual drive and then mount another inside of it. Microsoft only permits two nested drives1. Another important feature is when a system is shutdown, non-bootable mounted VHDs will not remount automatically upon reboot. Thus if the system is powered down in a raid environment either with power or by pulling the plug, it won t be apparent that the virtual drives were mounted upon forensic acquisition and analysis. Of course, a user can mount and then encrypt a.vhd file using volume encryption like TrueCrypt or BitLocker or non-volume like EFS or other file encrypting algorithms. The user can either place an encrypted volume inside the mounted VHD using TrueCrypt or can choose to encrypt the VHD volume which can then be auto mounted. This method would mask the data inside and render it impossible to find data via text searching the raw unmounted.vhd file. BitLocker
2 can also be used to encrypt a virtual drive. All the same issues apply to decrypting the drive as a regularly encrypted BitLocker hard drive; namely, the need for a recovery key and the necessity of imaging logically. The testing for this document was conducted on Windows 2008 Server R2 and Windows 7 Ultimate systems. In actual investigations of other versions, they should be tested for consistency and to confirm these findings.
3 Creating a VHD Virtual machines can be created in the Manage Utility (right click on Computer and select Manage) by selecting the Action drop down menu and clicking on Create VHD. Supply a location and filename for the VHD and decide on fixed or dynamic sizes. Supply the file size if a fixed size is selected and click on OK. See Figure 1. In fixed size creation, the file size will be the same as the selected size of the drive. Figure 1 Creating a VHD
4 Next, right click on the Disk# tab in the Manage utility to the left of the drive s bar graph and select Initialize Disk. Select the type of partition formatting desired; MBR or GPT and click OK. To finalize the drive and format it, right click on the drive s bar indicator (to the right of the drive# tab) and select New Simple Volume. This will start a wizard to allow assigning a drive letter, selecting a file system, and formatting the drive. Once completed, the drive will appear to be a physical drive in all respects from the point of view of the operating system (See Figure 1, last frame). It will behave as a physical drive to Windows Explorer and the MountedDevices registry entry in the System file will use the standard drive identifier located at offset in the Master Boot Record (MBR) of the virtual drive. Forensic Determination of the Presence of VHDs Trying to find virtual drives forensically isn t normally too difficult. If a user is archiving data in a VHD, they are easily discovered by sorting on the.vhd file extension in the user s image. The usual operating system file artifacts in a user s NTUSER.DAT registry file may also be present in the form of RecentDocs and in the ComDlg32 Most Recently Used (MRU) entries. Use of the internal virtual drive utility in Windows 7 creates entries for each of these MRU lists (see Figure 2). Figure 2 - RecentDocs List of.vhd files in the NTUSER.DAT
5 The only issue in locating.vhd files is if the suspect takes steps to hide them, such as changing or removing the file extension to mask them. VHDs can be mounted after their file extension is removed. In the example in Figure 4, FTK is used to process an image containing several.vhd files. Prior to processing, a Custom File Identification can be created to identify all VHDs in the image by header. FTK will then place them in a user named container. This speeds up the analysis by placing all the.vhd files in one location, so they can be quickly analyzed for potential evidence by exporting and mounting. The process to create a custom header identification is documented in Figure 3. During the case creation process, click the Detailed Options button. This will bring up the Evidence Processing dialog box. After the processes to perform are selected, click on the Custom File Identification button (upper left corner below Evidence Processing). Click on the Manage Custom Identifiers and then Create New.
6 Figure 3 Creating a Custom File Identification in FTK
7 Name the Custom Identifier and provide a description if desired. Double click the Value column at the bottom to enter the desired header (See Figure 3). In the case of.vhd files, I have been using: 0x 33c08ed0bc007c8e Note: If the beginning offset for a header is not zero, it can be set in the preceding Offset column. Once completed, click on Close and save the custom identifier to a file. Once the custom identifier is stored as a file, it can be called up on a case by case basis to classify files by header. Figure 4 - Using FTK to identify.vhd files during processing
8 Forensic Determination of the Use of VHDs There are a number of ways to demonstrate use of VHDs by a suspect. The above mentioned examination of MRUs in the registry of the host system will show VHD activity. The best method is to examine the Windows 7 event logs regarding the mounting and unmounting of virtual drives. The event file is located in the Event Viewer left pane menu list at the following path: Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\VHDMP\Operational An Information Event ID of 1 indicates a surfacing of a.vhd file. Microsoft refers to mounting a VHD as surfacing and unmounting as unsurfacing 1. The log viewer will supply the path and filename mounted, date/time of access, and the physical drive number assigned to the drive. See Figure 5. An Event ID of 2 indicates a VHD has been unsurfaced and will also have the path, filename, and date/time of unsurfacing. It interesting to note, that if a virtual drive is functioning when the system is shutdown without a manual dismount, there will be no event identification (2) indicating it was unsurfaced. Figure 5 Windows 7 Event Log Viewer / VHD Event Logs
9 An examination of the link files of a user s system may help ascertain if the.vhd files have been in use on the system. Link files can contain a volume name and volume serial number to compare to those contained in the mounted virtual drive. See Figure 6. Figure 6 - Link File pointing to a virtual drive This would require mounting the.vhd file to determine its volume name and serial number. Mounting can be accomplished with current forensic tools as most mount a.vhd as an image file (see Figure 7).
10 Figure 7 Mounted.vhd file in FTK Imager showing the Volume Serial Number at offset 72 The image can also be mounted in Windows as a Read-Only drive by selecting the Read-Only check box when attaching the device. See Figure 8. Prior to mounting the first and third device
11 After mounting the first and third device Figure 8 Selecting Read-Only when mounting a.vhd file in Windows 7 The top panel of Figure 8 is a list of hashes for three.vhd files prior to mounting. In the middle panel, is a list of those hashes after mounting the first and third.vhd. One of the files was mounted and changed by adding a folder to it. The second was only mounted, but otherwise not changed. Both the hashes changed upon mounting the device. Both VHDs were NTFS file system formatted. The bottom panel of Figure 8 shows the hashes after mounting the diffvhd.vhd file. In this case, prior to mounting the Read-Only check box was selected. With limited testing, I have found the.vhd file s hash does not change when using read-only surfacing.
12 The drive letter assigned may be determined by an examination of the MountedDevices subkey in the System registry file. In the example in Figure 9, the.vhd occupied the T drive. The first four bytes in the \DosDevices\T: value are 0x 2F E. This is the drive identifier for this physical device located at offset 440 in the MBR of the.vhd file. Mounting the.vhd and viewing the drive identifier in its MBR will allow determination of which.vhd file was used for this drive letter. The four values at offset match to a file called BACKTRACK VHD.vhd. The drive letter at \DosDevices\<driveletter>: is volatile data. If this VHD was unsurfaced and another VHD, HDD, or USB were mounted and used this drive letter, the drive identifier value will be overwritten in favor of the new device s identification. However, the drive will still be identifiable as having been mounted as there is a persistent number assigned in MountedDevices as well as the volatile one. This persistent entry is preceded with a \??\ <guid> value name with the drive identifier assigned in the same first four bytes of its value. This data is not removed when the drive letter is used by another device.
13 Figure 9 MBR drive ID to MountedDevices to the GUID in MountPoints
14 It can also be determined which user launched BACKTRACK VHD.vhd and at what time it was mounted. First, find the persistent Globally Unique Identifier (GUID) for the drive. This can be determined by finding the drive identifier (in this case 0x 2F E) in MountedDevices that has a value name of \??\Volume{<guid>}. In this example, it is just above the \DosDevices\T: Value: 0x 2F E with the same value header. The GUID is: 68f3aeb8-a1ab-11df-b5da-a8aa87d6c78d Open the NTUSER.DAT for the suspected user (in this case the NTUSER.DAT for user Dustin) and navigate to the following path where <guid> is the GUID for this device: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\<guid> Highlight the GUID assigned to this device by MountedDevices and note the Key Properties last written time, shown in Figure 9 (bottom panel). This date/time is the last written date/time for the subkey highlighted. This updates each time the user mounts the device. This method also works to determine the time/date of mounting a USB device. When testing this value, be sure to account for lazy writes as this value doesn t always update immediately upon mounting of the device. Logging off or restarting may be required to consistently update this value for testing purposes. The storage artifacts that record the volumes mounted for.vhd files are kept in a number of places in the registry similar to USB information. The drives are identified in the SCSI subkey at the following location: HKLM\System\ControlSet###\Enum\SCSI\Disk&Ven_Msft&Prod_Virtual_Disk Each drive is identified with a number similar to the old Parent ID Prefix (pip) seen in Windows XP for USB devices. There are also references to them in the following path: HKLM\System\ControlSet###\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#SCSI#Disk&Ven_Msft&Prod_Virtual_Disk#<pip from scsi subkey><classidguid>
15 This location is one of the class identifiers that specify device attachments that are used to identify the last time a specific USB was connected. Note the Msft reference in each path. MSFT is the Microsoft stock identifier and this reference is used in the virtual entries in the registry. MSFT is commonly used in company blogs in place of the company name Microsoft. Virtual drives are also referenced by their volume name in the ReadyBoost drive storage archive in the Software registry file at: HKLM\Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt Mounting a VHD for Analysis When the virtual drive is mounted by the operating system, it is in all appearances a physical hard disk drive. The first panel in Figure 10 shows the drive mounted while it is live. The second panel shows mounting the.vhd file as an image file. The two views appear to be the same. VHD images can be viewed and evaluated by mounting with your forensic tool of choice. As mentioned earlier, the issue is finding them. Many of the current forensic tools will mount.vhd files as an image file, so the structure can be examined for relevant files to the investigation.
16 Figure 10 Mounted Virtual Drive and Mounted.vhd File
17 Once mounted, the examination will be a standard analysis of the file system for relevant data using keyword searches, viewing user created and deleted files, and data carving. Figure 11 FTK Imager view of deleted files Figure 11 shows a standard look at artifacts such as those deleted from the operating system and recycle bin.
18 VHD Footer Offsets2 In addition to the analysis of the relevant data, the.vhd also contains a footer that may yield important forensic information about its creation. This footer is located in the last sector of the physical.vhd file. The header begins at the sector boundary of the last sector in the file. It is contained in offsets 0-7 and contains the header word conectix to identify a Microsoft Virtual Server file. Data sets stored in this footer appear to be in big endian format. See Figure 13 for Offset Table. Figure 12 Footer information in a.vhd file Offsets contain a date/time stamp of when the VHD was created. This date and time, according to Microsoft, is based upon the number of seconds since January 1, 2000, 12:00:00 AM UTC time. This appears to be a new date/time stamp to convert (possibly an XFat date/time stamp). I couldn t find a converter for it, so for testing purposes, I added the hex value 0x 38 6D to the stored value (the number of seconds between 1970 and 2000) and used the Unix 32-bit, big endian converter to get in the ballpark. This would not be forensically sound, so at some point, someone hopefully will build us a converter for this date and time stamp. Offsets store the creator application. In Windows 7.vhd files, the value win is placed here.
19 Offsets is the creator host for the OS. In Windows 7 test VHDs, the value Wi2k is stored here. Offsets stores the size of the.vhd file in its original state. This value is in bytes and does not include the last 512 bytes where this footer information is stored. If the disk is expanded, the current size will be displayed in offsets At offsets is stored a unique identifier for the hard disk. Its format is in the 128-bit Universally Unique Identifier (UUID). Figure 13 -.vhd Footer Offsets
20 References 1. Virtual Hard Disks in Windows Frequently Asked Questions, Microsoft, June 15, 2009, 2. Virtual Hard Disk Image Format Specification, Microsoft, October 11,
Forensically Determining the Presence and Use of Virtual Machines in Windows 7
Forensically Determining the Presence and Use of Virtual Machines in Windows 7 Introduction Dustin Hurlbut Windows 7 has the ability to create and mount virtual machines based upon launching a single file.
More informationVirtual Hard Disk Forensics Using EnCase
Virtual Hard Disk Forensics Using EnCase Randy Nading, EnCE Security+ Computer Forensic Analyst, Jacobs Technology www.encase.com/ceic Agenda I. Virtual Hard Disks (VHDs) as Evidence Containers Hands On
More information1. Introduction... 2. 2. About the BackupAssist Hyper-V solution... 2. Advantages... 2. Features... 2. Granular technology... 2
Contents 1. Introduction... 2 2. About the BackupAssist Hyper-V solution... 2 Advantages... 2 Features... 2 Granular technology... 2 The BackupAssist VM Granular Restore Console... 2 Limitations and requirements...
More informationBackupAssist v6 quickstart guide
Using the new features in BackupAssist v6... 2 VSS application backup (Exchange, SQL, SharePoint)... 2 Backing up VSS applications... 2 Restoring VSS applications... 3 System State backup and restore...
More informationBackupAssist v6 quickstart guide
New features in BackupAssist v6... 2 VSS application backup (Exchange, SQL, SharePoint)... 3 System State backup... 3 Restore files, applications, System State and mailboxes... 4 Fully cloud ready Internet
More informationMAC/OSX - How to Encrypt Data using TrueCrypt. v.05201011
MAC/OSX - How to Encrypt Data using TrueCrypt v.05201011 This chapter contains step-by-step instructions on how to create, mount, and use a TrueCrypt volume. We strongly recommend that you read the entire
More informationRECOVERING FROM SHAMOON
Executive Summary Fidelis Threat Advisory #1007 RECOVERING FROM SHAMOON November 1, 2012 Document Status: FINAL Last Revised: 2012-11-01 The Shamoon malware has received considerable coverage in the past
More informationSystem Protection for Hyper-V User Guide
User Guide BackupAssist User Guides explain how to create and modify backup jobs, create backups and perform restores. These steps are explained in more detail in a guide s respective whitepaper. Whitepapers
More informationUltraBac Documentation. UBDR Gold. Administrator Guide UBDR Gold v8.0
UltraBac Documentation UBDR Gold Bare Metal Disaster Recovery Administrator Guide UBDR Gold v8.0 UBDR Administrator Guide UBDR Gold v8.0 The software described in this guide is furnished under a license
More informationParagon Backup Retention Wizard
Paragon Backup Retention Wizard User Guide Getting Started with the Paragon Backup Retention Wizard In this guide you will find all the information necessary to get the product ready to use. System Requirements
More informationAns.: You can find your activation key for a Recover My Files by logging on to your account.
Faqs > Recover Q1. I lost my activation key Ans.: You can find your activation key for a Recover My Files by logging on to your account. Q2. I purchased on-line, when will my activation key be sent to
More informationWSDOT ProjectWise V8i Training 101
WSDOT PROJECTWISE V8I TRAINING 101 ABOUT THIS TRAINING This training is intended to give a user the ability to open ProjectWise and access working files. Once you become comfortable working within the
More informationBare Metal Recovery Quick Start Guide
Bare Metal Recovery Quick Start Guide Revisions Document Control Version 5.4.3 Status Changes Date Final Created. August 2014 Copyright 2003-2014 Intronis, Inc. All rights reserved. 1 Table of Contents
More informationUser Guide. Laplink Software, Inc. Laplink DiskImage 7 Professional. User Guide. UG-DiskImagePro-EN-7 (REV. 5/2013)
1 Laplink DiskImage 7 Professional Laplink Software, Inc. Customer Service/Technical Support: Web: http://www.laplink.com/contact E-mail: CustomerService@laplink.com Laplink Software, Inc. 600 108th Ave.
More informationWindows XP Home Edition / Windows XP Professional
Windows XP Home Edition / Windows XP Professional COOLPIX5000/995/885/775 This manual is for those users of the COOLPIX5000/995/885/ 775 who are running Nikon View 4 (Version4.3.1) under Windows XP Home
More information16.4.3 Lab: Data Backup and Recovery in Windows XP
16.4.3 Lab: Data Backup and Recovery in Windows XP Introduction Print and complete this lab. In this lab, you will back up data. You will also perform a recovery of the data. Recommended Equipment The
More informationVirtualXP Users Guide
VirtualXP Users Guide Contents Chapter 1: Introduction... 2 Chapter 2: Install and Uninstall VirtualXP... 3 2.1 System Requirement... 3 2.2 Installing VirtualXP... 3 2.3 Uninstalling VirtualXP... 3 Chapter
More informationComodo Disk Encryption
Comodo Disk Encryption Version 2.0 User Guide Version 2.0.122010 Versi Comodo Security Solutions 525 Washington Blvd. Jersey City, NJ 07310 Table of Contents 1.Comodo Disk Encryption Introduction... 3
More informationEaseUS Data Recovery Wizard User Guide
EaseUS Data Recovery Wizard User Guide EaseUS Data Recovery Wizard is an easy-to-use hard drive data recovery software that allows you to easily recover lost data from PC, laptop, hard drive or storage
More informationWorking with Administrative Tools
This final chapter considers a variety of administrative 12 tools and how to use them. Working with Administrative Tools Using Administrative Tools Once you go though Control Panel (assuming you haven
More informationAccessData. Triage. Quick Start Guide. Published: December 2011
AccessData Triage Quick Start Guide Published: December 2011 1 Legal Information 2011 AccessData Group, LLC All rights reserved. No part of this publication may be reproduced, photocopied, stored on a
More informationCleaning your Windows 7, Windows XP and Macintosh OSX Computers
Cleaning your Windows 7, Windows XP and Macintosh OSX Computers A cleaning of your computer can help your computer run faster and make you more efficient. We have listed some tools and how to use these
More informationFor Windows XP 64 bit
Installation Guide Beta drivers for Windows XP[64], Win 7[32/64bit,], Win 8.1[64bit] This version of Orange-5 software introduces support for 64 bit operational systems (Win XP 64 bit, Win7 64, etc..).
More information10.3.1.6 Lab - Data Backup and Recovery in Windows XP
5.0 10.3.1.6 Lab - Data Backup and Recovery in Windows XP Introduction Print and complete this lab. In this lab, you will back up data. You will also perform a recovery of the data. Recommended Equipment
More informationIntroduction to BitLocker FVE
Introduction to BitLocker FVE (Understanding the Steps Required to enable BitLocker) Exploration of Windows 7 Advanced Forensic Topics Day 3 What is BitLocker? BitLocker Drive Encryption is a full disk
More informationHyper-V Protection. User guide
Hyper-V Protection User guide Contents 1. Hyper-V overview... 2 Documentation... 2 Licensing... 2 Hyper-V requirements... 2 2. Hyper-V protection features... 3 Windows 2012 R1/R2 Hyper-V support... 3 Custom
More informationMicrosoft Vista: Serious Challenges for Digital Investigations
Proceedings of Student-Faculty Research Day, CSIS, Pace University, May 2 nd, 2008 Microsoft Vista: Serious Challenges for Digital Investigations Darren R. Hayes and Shareq Qureshi Seidenberg School of
More informationCall Recorder Quick CD Access System
Call Recorder Quick CD Access System V4.0 VC2010 Contents 1 Call Recorder Quick CD Access System... 3 1.1 Install the software...4 1.2 Start...4 1.3 View recordings on CD...5 1.4 Create an archive on Hard
More informationHard Disk Manager 14 Hyper-V Preview
PARAGON Software GmbH Heinrich-von-Stephan-Str. 5c 79100 Freiburg, Germany Tel. +49 (0) 761 59018201 Fax +49 (0) 761 59018130 Internet www.paragon-software.com Email sales@paragon-software.com Hard Disk
More informationUniversity of Rochester Sophos SafeGuard Encryption for Windows Support Guide
Sophos SafeGuard Encryption for Windows Support Guide University Information Technology Security & Policy September 15, 2015 Version Date Modification 1.0 September 15, 2015 Initial guide 1.1 1.2 1.3 1.4
More informationHow to Install Applications (APK Files) on Your Android Phone
How to Install Applications (APK Files) on Your Android Phone Overview An Android application is stored in an APK file (i.e., a file named by {Application Name}.apk). You must install the APK on your Android
More informationSymantec File Share Encryption Quick Start Guide Version 10.3
Symantec File Share Encryption Quick Start Guide Version 10.3 What is Symantec File Share Encryption? Symantec File Share Encryption is a software tool that provides multiple ways to protect and share
More informationWindows 7: Current Events in the World of Windows Forensics
Windows 7: Current Events in the World of Windows Forensics Troy Larson Senior Forensic Program Manager Network Security, Microsoft Corp. Where Are We Now? Vista & Windows 2008 BitLocker. Format-Wipes
More informationNovaBACKUP. User Manual. NovaStor / May 2014
NovaBACKUP User Manual NovaStor / May 2014 2014 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications are subject to change without notice.
More informationJust EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012
Just EnCase Presented By Larry Russell CalCPA State Technology Committee May 18, 2012 What is e-discovery Electronically Stored Information (ESI) Discover or Monitor for Fraudulent Activity Tools used
More informationContents. Getting Started...1. Managing Your Drives...14. Backing Up & Restoring Folders...28. Synchronizing Folders...48. Managing Security...
Contents Getting Started.....................................................1 Using the Formatting Tool........................................1 Preparing the Software Manually..................................4
More informationSTATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER
Notes: STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER 1. These instructions focus on installation on Windows Terminal Server (WTS), but are applicable
More informationOutlook E-Mail. Step 1: Open and Configure Outlook
Outlook E-Mail Step 1: Open and Configure Outlook 1. Click the Microsoft Button in the lower left task bar 2. Select All Programs 3. Select Microsoft Office 4. Select Microsoft Outlook 5. Follow the Start
More informationLenovo Online Data Backup User Guide Version 1.8.14
Lenovo Online Data Backup User Guide Version 1.8.14 Contents Chapter 1: Installing Lenovo Online Data Backup...5 Downloading the Lenovo Online Data Backup Client...5 Installing the Lenovo Online Data
More informationistorage Server: High-Availability iscsi SAN for Windows Server 2008 & Hyper-V Clustering
istorage Server: High-Availability iscsi SAN for Windows Server 2008 & Hyper-V Clustering Tuesday, Feb 21 st, 2012 KernSafe Technologies, Inc. www.kernsafe.com Copyright KernSafe Technologies 2006-2012.
More informationActive @ UNDELETE Users Guide
Active @ UNDELETE Users Guide Contents 2 Contents Legal Statement...5 Active@ UNDELETE Overview... 6 Getting Started with Active@ UNDELETE... 7 Active@ UNDELETE Views And Windows... 7 Recovery Explorer
More informationM100 System File Manager Help
Copyright (c) Vuzix Corporation 2013-2014. All Rights Reserved. M100 System File Manager Help Section I) Installation of the M100 Section II) General Information Section III) Troubleshooting Section IV)
More informationBackup Buddy. Welcome to Backup Buddy! The simplest, friendliest backup application for the Mac.
Backup Buddy Welcome to Backup Buddy! The simplest, friendliest backup application for the Mac. Just like Apple s Time Machine, Backup Buddy will create a chronological archive of your data. But unlike
More informationSATA RAID Function (Only for chipset Sil3132 used) User s Manual
SATA RAID Function (Only for chipset Sil3132 used) User s Manual 12ME-SI3132-001 Table of Contents 1 WELCOME...4 1.1 SATARAID5 FEATURES...4 2 AN INTRODUCTION TO RAID...5 2.1 DISK STRIPING (RAID 0)...5
More informationUpdates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.
Backup. If your computer refuses to boot or load Windows or if you are trying to restore an image to a partition the Reflect cannot lock (See here), and then you will have to start your PC using a rescue
More informationTime Stamp. Instruction Booklet
Time Stamp Instruction Booklet Time Stamp Introductions Time stamp is a useful solution for backing up and restoring system, it backs up the entire computer system to the Backup Zone. Time Stamp is used
More informationFiltering Email with Microsoft Outlook
Filtering Email with Microsoft Outlook Microsoft Outlook is an email client that can retrieve and send email from various types of mail servers. It includes some advanced functionality that allows you
More informationMICROSOFT OUTLOOK 2011 READ, SEARCH AND PRINT E-MAILS
MICROSOFT OUTLOOK 2011 READ, SEARCH AND PRINT E-MAILS Lasted Edited: 2012-07-10 1 Find the Inbox... 3 Check for New Mail... 4 Manually check for new messages... 4 Change new incoming e-mail schedule options...
More informationPGP Desktop Email Quick Start Guide Version 10.2
PGP Desktop Email Quick Start Guide Version 10.2 What is PGP Desktop Email? PGP Desktop Email is part of the PGP Desktop family of products. Use PGP Desktop Email to: Automatically and transparently encrypt,
More informationNovaBACKUP. User Manual. NovaStor / November 2011
NovaBACKUP User Manual NovaStor / November 2011 2011 NovaStor, all rights reserved. All trademarks are the property of their respective owners. Features and specifications are subject to change without
More informationSonicWALL CDP Local Archiving
This document describes how to configure, implement, and manage a local archive for your SonicWALL CDP appliance. It contains the following sections: Feature Overview section on page 1 Using Local Archiving
More informationJoining an XP workstation to a domain Version 1.00
Joining an XP workstation to a domain Version 1.00 All Windows XP Professional workstations need to be joined to a domain to function as part of the domain security environment. Need to Know TM 1. To join
More informationSystem Protection for Hyper-V Whitepaper
Whitepaper Contents 1. Introduction... 2 Documentation... 2 Licensing... 2 Hyper-V requirements... 2 Definitions... 3 Considerations... 3 2. About the BackupAssist Hyper-V solution... 4 Advantages... 4
More informationVess A2000 Series. NVR Storage Appliance. Windows Recovery Instructions. Version 1.0. 2014 PROMISE Technology, Inc. All Rights Reserved.
Vess A2000 Series NVR Storage Appliance Windows Recovery Instructions Version 1.0 2014 PROMISE Technology, Inc. All Rights Reserved. Contents Introduction 1 Different ways to backup the system disk 2 Before
More informationCensus. di Monitoring Installation User s Guide
Census di Monitoring Installation User s Guide 1 r1 Contents Introduction... 3 Content overview... 3 Installing Windows 2003 Server Components... 4 System requirements... 4 di Monitoring Web Set-up...
More informationIntroduction. This white paper provides technical information on how to approach these steps with Symantec Antivirus Corporate edition.
Introduction The process of updating virus definitions on workstations protected by Deep Freeze Enterprise involves three fundamental steps: 1. Rebooting the workstations into a Thawed state so the updates
More informationEnCase 7 - Basic + Intermediate Topics
EnCase 7 - Basic + Intermediate Topics Course Objectives This 4 day class is designed to familiarize the student with the many artifacts left behind on Windows based media and how to conduct a forensic
More informationSonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore
SonicWALL CDP 5.0 Microsoft Exchange InfoStore Backup and Restore Document Scope This solutions document describes how to configure and use the Microsoft Exchange InfoStore Backup and Restore feature in
More informationIn order to enable BitLocker, your hard drive must be partitioned in a particular manner.
ENABLE BITLOCKER ON WINDOWS VISTA - WITHOUT A TPM Requirements: You must be running Vista Enterprise or Vista Ultimate to enable BitLocker. Any other version of Vista is not compatible. It is recommended
More informationActive @ UNDELETE Users Guide
Active @ UNDELETE Users Guide Contents 2 Contents Legal Statement...5 Active@ UNDELETE Overview... 6 Getting Started with Active@ UNDELETE... 7 Active@ UNDELETE Views And Windows... 7 Recovery Explorer
More informationRSCCD REMOTE PORTAL TABLE OF CONTENTS: Technology Requirements NOTE
RSCCD REMOTE PORTAL The RSCCD Remote Portal allows employees to access their RSCCD Email (via Outlook Web Access), Department (Public) Folders, Personal (H Drive) Folder, and the District Intranet from
More informationThe Meaning. Linkfiles In Forensic Examinations
The Meaning of Linkfiles In Forensic Examinations A look at the practical value to forensic examinations of dates and times, and object identifiers in Windows shortcut files. Harry Parsonage September
More informationHiva-network.com. Microsoft_70-680_v2011-06-22_Kat. Exam A
Exam A Microsoft_70-680_v2011-06-22_Kat QUESTION 1 You have a computer that runs Windows 7. The computer has a single volume. You install 15 applications and customize the environment. You complete the
More informationZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016
ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference May 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government
More informationData-Tracker PLUS and Data-Viewer PLUS Software User s Guide
Data-Tracker PLUS and Data-Viewer PLUS Software User s Guide Version 1.1 Data-Tracker PLUS and Data-Viewer PLUS User s Guide Overview Data-Tracker PLUS is a software program designed and developed to interface
More informationIBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)
IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a) User s Reference Guide Internal IBM Use Only This document only applies to the software version listed above and information provided may not
More informationWinClon 6 User Guide. With Screenshots. A Windows Embedded Partner
User Guide With Screenshots Table of Contents Product Introduction Product Overview Product Features Product Installation/Registration System Requirements Installation Use as Evaluation Activate on Internet
More informationDual-boot Windows 10 alongside Windows 8
Most of the people are very much interested to install the newly launched Operating System Windows 10 on their devices. But, it is not recommended to directly use Windows 10 as the primary OS because it
More informationMICROSOFT EXCEL 2011 MANAGE WORKBOOKS
MICROSOFT EXCEL 2011 MANAGE WORKBOOKS Last Edited: 2012-07-10 1 Open, create, and save Workbooks... 3 Open an existing Excel Workbook... 3 Create a new Workbook... 6 Save a Workbook... 6 Set workbook properties...
More informationSIRIS. Bare Metal Restore Guide
SIRIS Bare Metal Restore Guide Table of Contents Prerequisites 5 PXE Boot Configuration 6 Accessing Recovery Points 7 Setting BMR Preferences 9 gpxe USB Drive Configuration 10 Starting the BMR 11 Configuring
More informationHosting Users Guide 2011
Hosting Users Guide 2011 eofficemgr technology support for small business Celebrating a decade of providing innovative cloud computing services to small business. Table of Contents Overview... 3 Configure
More informationBackup and Disaster Recovery Restoration Guide
Backup and Disaster Recovery Restoration Guide Page 1 Table of Contents Table of Contents...2 Terms of Use...3 BDR...4 Creating Point-in-Time Restoration Volumes...4 Mounting a Restoration Volume...4 Dismounting
More informationUSB Bare Metal Restore: Getting Started
USB Bare Metal Restore: Getting Started Prerequisites Requirements for the target hardware: Must be able to boot from USB Must be on the same network as the Datto device Must be 64 bit hardware Any OSs
More informationSophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012
Sophos Disk Encryption License migration guide Product version: 5.61 Document date: June 2012 Contents 1 About this guide...3 2 Add encryption to an existing Sophos security solution...5 3 SDE/SGE 4.x
More informationCautions When Using BitLocker Drive Encryption on PRIMERGY
Cautions When Using BitLocker Drive Encryption on PRIMERGY July 2008 Fujitsu Limited Table of Contents Preface...3 1 Recovery mode...4 2 Changes in hardware configurations...5 3 Prior to hardware maintenance
More informationOutlook Web Access End User Guide
Outlook Web Access End User Guide Page 0 Outlook Web Access is an online, limited version of an Outlook client which can be used to access an exchange account from a web browser, without having an Outlook
More informationSecureDoc for Mac v6.1. User Manual
SecureDoc for Mac v6.1 User Manual Copyright 1997-2012 by WinMagic Inc. All rights reserved. Printed in Canada Many products, software and technologies are subject to export control for both Canada and
More informationQuick Start Guide. Version R91. English
Using StorageCraft Recovery Environment Quick Start Guide Version R91 English May 20, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s
More informationDrobo How-To Guide. Cloud Storage Using Amazon Storage Gateway with Drobo iscsi SAN
The Amazon Web Services (AWS) Storage Gateway uses an on-premises virtual appliance to replicate a portion of your local Drobo iscsi SAN (Drobo B1200i, left below, and Drobo B800i, right below) to cloudbased
More informationNetBackup Backup, Archive, and Restore Getting Started Guide
NetBackup Backup, Archive, and Restore Getting Started Guide UNIX, Windows, and Linux Release 6.5 Veritas NetBackup Backup, Archive, and Restore Getting Started Guide Copyright 2007 Symantec Corporation.
More informationUp-to-the-minute Data Protection
User s Manual Undelete for Windows Up-to-the-minute Data Protection July 2007 This document describes the installation and operation of the Undelete file recovery solutions. It applies to the Server, Desktop
More informationAdvanced Event Viewer Manual
Advanced Event Viewer Manual Document version: 2.2944.01 Download Advanced Event Viewer at: http://www.advancedeventviewer.com Page 1 Introduction Advanced Event Viewer is an award winning application
More informationVERITAS NetBackup 6.0
VERITAS NetBackup 6.0 Backup, Archive, and Restore Getting Started Guide for UNIX, Windows, and Linux N15278C September 2005 Disclaimer The information contained in this publication is subject to change
More informationHow to Encrypt your Windows 7 SDS Machine with Bitlocker
How to Encrypt your Windows 7 SDS Machine with Bitlocker ************************************ IMPORTANT ******************************************* Before encrypting your SDS Windows 7 Machine it is highly
More informationUSB 3.0 DUAL SATA HDD DOCKING STATION
USB 3.0 DUAL SATA HDD DOCKING STATION User Manual (DA-70547) Introduction DA-70547 is a USB3.0 enabled dual-sata hard drive enclosure. It supports simultaneously use of two 2.5 or 3.5 SATA hard disk for
More informationHow To Restore Your Data On A Backup By Mozy (Windows) On A Pc Or Macbook Or Macintosh (Windows 2) On Your Computer Or Mac) On An Pc Or Ipad (Windows 3) On Pc Or Pc Or Micro
Online Backup by Mozy Restore Common Questions Document Revision Date: June 29, 2012 Online Backup by Mozy Common Questions 1 How do I restore my data? There are five ways of restoring your data: 1) Performing
More informationHP StorageWorks Automated Storage Manager User Guide
HP StorageWorks Automated Storage Manager User Guide Part Number: 5697 0422 First edition: June 2010 Legal and notice information Copyright 2010, 2010 Hewlett-Packard Development Company, L.P. Confidential
More informationACTIVE@ UNDELETE 7.0 USER GUIDE
ACTIVE@ UNDELETE 7.0 USER GUIDE COPYRIGHT Copyright 27, LSOFT TECHNOLOGIES INC. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative
More informationBasic Edition A Windows Embedded Partner
User Guide Basic Edition Table of Contents Product Introduction Product Overview Product Features Product Installation/Registration System Requirements Installation Use as Evaluation Activate on Internet
More informationHow to protect, restore and recover SQL 2005 and SQL 2008 Databases
How to protect, restore and recover SQL 2005 and SQL 2008 Databases Introduction This document discusses steps to set up SQL Server Protection Plans and restore protected databases using our software.
More informationIT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI 12.1.3 Windows OS directory structures
IT Essentials v4.1 LI 11.4.5 Upgrade and configure storage devices and hard drives 2.3 Disk management tools In Windows Vista and Windows 7, use the following path: Start > Start Search > type diskmgmt.msc
More informationvtcommander Installing and Starting vtcommander
vtcommander vtcommander provides a local graphical user interface (GUI) to manage Hyper-V R2 server. It supports Hyper-V technology on full and core installations of Windows Server 2008 R2 as well as on
More informationIntelligent disaster recovery. Dell DL backup to Disk Appliance powered by Symantec
Intelligent disaster recovery Dell DL backup to Disk Appliance powered by Symantec The PowerVault DL Backup to Disk Appliance Powered by Symantec Backup Exec offers the industry s only fully integrated
More informationDigital Forensics Tutorials Acquiring an Image with Kali dcfldd
Digital Forensics Tutorials Acquiring an Image with Kali dcfldd Explanation Section Disk Imaging Definition Disk images are used to transfer a hard drive s contents for various reasons. A disk image can
More informationTABLE OF CONTENTS. Administration Guide - Virtual Server idataagent (VMware) Page 1 of 176 OVERVIEW
Page 1 of 176 Administration Guide - Virtual Server idataagent (VMware) TABLE OF CONTENTS OVERVIEW Introduction Key Features Complete Virtual Machine Protection Granular Recovery of Virtual Machine Data
More information2.6.1 Creating an Acronis account... 11 2.6.2 Subscription to Acronis Cloud... 11. 3 Creating bootable rescue media... 12
USER'S GUIDE Table of contents 1 Introduction...3 1.1 What is Acronis True Image 2015?... 3 1.2 New in this version... 3 1.3 System requirements... 4 1.4 Install, update or remove Acronis True Image 2015...
More informationHow to create a portable encrypted USB Key using TrueCrypt
How to create a portable encrypted USB Key using TrueCrypt INTRODUCTION TrueCrypt Traveler Mode provides secure encryption for programs/files on portable devices such as USB Memory keys. It uses strong
More informationComodo BackUp Software Version 4.4
Comodo BackUp Software Version 4.4 User Guide Guide Version 4.4.101614 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1.Comodo BackUp - Introduction...4 1.1.System Requirements...6
More informationMigrating From Bobcat Mail To Google Apps (Using Microsoft Outlook and Google Apps Sync)
Migrating From Bobcat Mail To Google Apps (Using Microsoft Outlook and Google Apps Sync) This document is intended for those users moving from WVWC s Bobcat Mail system to the new Google Apps mail system
More informationHyper-V Protection. User guide
Hyper-V Protection User guide Contents 1. Hyper-V overview... 2 Documentation... 2 Licensing... 2 Hyper-V requirements... 2 Windows Server 2012 Hyper-V support... 3 2. Hyper-V protection features... 3
More information