Thursday, June 4, 2009

Restore Point and Forensics

Hello All,

Just to update on Windows XP Restore Point and it’s use in Forensics Investigation:-

within Windows XP, Windows creates “Restore Points”. These restore points are contained in numbered folders at the following location:

\System Volume Information\-restore{GUID}\RP### (### are sequential numbers as these restore points are created)

These Restore Points are / can be created when the following conditions are been met / due to action taken by the user /system.

1>These Restore points are created by default every 24 hours within Windows XP and named as System Checkpoint

2>These are also created prior and after the installation of Microsoft Windows Update or any Patches /hotfixes installation.

3>These are often created whenever a user installs any software or application

4>and finally whenever any new hardware changes occur and device driver installation is performed on the system.

There may have been other reasons which I may not be fully aware, or havent come across.

Now, how the above can help in an ongoing Forensic Investigation?

Well,

1>Check the System Image in question for Event ID of 110 which provides evidence of System Restore was successful, this is very useful after any machine is confiscated and is under investigation.

2>check for the following logs relevant to System Restore, a>RP.LOG, b>CHANGE.LOG, c>FIFO.LOG

The Change.Log is important as it contains the name of files which are renamed and thus it helps tracking the files from the restore point folder.

The FIFO.Log file contains the Deletion time and the number of the Restore Point being deleted, “RP###”

Restore Points are valid for 90 day period, also it depends on the amt of disk space available and how the system restore is configured.

System restore can be Disabled by a user or an Adminsitrator.

An Administrator can create a System restore Point manually

\System Volume Information\-restore{GUID}\RP### is neither accessible to an Administrator with the default NTFS permission set, nor for the user.

There are Registry settings for System restore at:-

HKLM\Sofware\Microsoft\WindowsNT\CurrentVersion\SystemRestore.

If you have any other inputs to add, or anything i have missed Please feel free to comment.

Need all your comments.

Thanks

Nitin Kushwaha

CHFI.CEH.SCSCA.CIW-SA.MCSE.MCSA.MCP.ITIL.CCLA.CCHA.CCSECA.CCW2K
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)