"System Protection" is disabled in Win10 default settings

We could find some important clue in Restore point because "System Protection" of volume C are enabled in Windows Defau Lt settings. Lots of data in "My Documents", "Desktop", and "favorotes". Further more lots of Windows artifacts exists in volume C, and forensic guys understand the importance of Restore point. But Win10 was different from WIN7/8 on this feature. "System Protection" becomes disabled in Win10 default settings. That means there are no any Restore point unless you enable that feature manually.

Everybody knows that the user couldn ' t care less whether "System Protection" was enabled or not. Forensic guys this feature the default enabled is very important. Now I turn the It on and show what you do advantage of this feature.

With the feature on system would create Restore point automatically. Of course we could create Restore point manually. Let me show what you do to discover "how many Restore" in volume C.

As you could see there are one Restore point in volume C. We could use Vss.exe to mount this Restore point.

The driver letter I is "S". But where is "S:"??? I could not see this volume S in My Computer??? All of the forensic tool like FTK Imager to the look for volume S.

So volume S is the shadow of volume C. That's means we got the chance to find the original content of data being modified or removed recently. Now this feature "System Protection" are disabled in default. I wonder why Microsoft change this feature. Is there any thing we could does to solve this issue? My suggestion is the IT administrators should use Group Policy to enable this feature so as to perserve and protect digit Al evidence.

---restore content ends---

"System Protection" is disabled in Win10 default settings