Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Forensic Analysis of Windows Restore Points

hiddenillusion
February 01, 2011
Technology
1
86

Forensic Analysis of Windows Restore Points

Presentation I gave in February of 2011 about Windows Restore Points

hiddenillusion

February 01, 2011
Tweet

More Decks by hiddenillusion

See All by hiddenillusion
Mo' Memory No' Problem
hiddenillusion
2
19k
What's going on out there?
hiddenillusion
2
370
Analyzing Malware with REMnux
hiddenillusion
2
1.1k

Other Decks in Technology

See All in Technology
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
150
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
14
35k
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.6k
Tableau事例紹介 / Tableau Case Study of Eureka
kazuya_araki_tokyo
1
170
マルチアカウント環境への発見的統制の導入
ch1aki
1
1.3k
オブザーバビリティの Primary Signals
onk
PRO
0
550
AWS を使う上で知っておきたいオンプレミス知識/aws-on-premise-essentials
emiki
1
4.2k
0→1開発における技術選定において一番大切なこと
bicstone
1
330
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
230
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
630
小さな開発会社がWebサービスを作る理由
polidog
PRO
1
160
20240416_devopsdaystokyo
kzkmaeda
1
190

Featured

See All Featured
Bash Introduction
62gerente
604
210k
How to train your dragon (web standard)
notwaldorf
72
5.1k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Building Effective Engineering Teams - LeadDev
addyosmani
27
1.8k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
StorybookのUI Testing Handbookを読んだ
zakiyama
11
4.6k
GraphQLとの向き合い方2022年版
quramy
31
12k
Into the Great Unknown - MozCon
thekraken
10
980
Designing for humans not robots
tammielis
247
25k
Music & Morning Musume
bryan
41
5.6k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
Code Reviewing Like a Champion
maltzj
513
39k

Transcript

  1. By: Glenn P. Edwards Jr. @hiddenillusion

  2.  “It provides a way to restore a system to

    a previously known good point that would otherwise require you to reinstall an application or even the entire operating system.” http://csit.udc.edu/~byu/UDC3529315/WindowsInternals-4e.pdf

  3.  Windows ME  Windows XP  Windows Vista 

    Windows 7 * Windows Server 2003 isn’t supported but can also have it installed.

  4.  Windows 2000  Windows Server 2008  FAT/FAT32 systems

     System Restore requires shadow copies.

  5.  Critical system files  Registry hives  Local profiles

    (not roaming)  WMI database  COM+ database  Windows File Protection DLL cache  ISS metabase file (If ISS is installed)  Files listed as include in the Monitored File Extensions list
  6. None

  7.  DRM settings  SAM hive*  WPA settings 

    User-created data stored in the user profile  Contents of redirected folders  HKLM\Software\WOW6432Node  Any file with an extension not listed in the Monitored File Extensions list

  8.  Every 24 hours  Certain software installations  Windows

    Update  When the user requests it  Unsigned driver installations http://www.mydigitallife.info/wp-content/uploads/2007/12/unsigned-driver-install.jpg

  9. %SystemRoot%\System Volume Information\_restore{XX-XXX-XXX } http://xpdrivers.com/wp-content/uploads/012111_0904_WindowsXPCr9.png

  10. None

  11. rp.log http://www.stevebunting.org/udpd4n6/forensics/registryhivefiles.jpg Registry hive files

  12. http://www.stevebunting.org/udpd4n6/forensics/filesrenamed.jpg change.log.x

  13. SYSTEM\Controlset00X\Control\BackupRestore HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore AsrKeysNotToRestor e FilesNotToBackup KeysNotToRestore DisableSR %SystemRoot%\System Volume

    Information\_restore{GUID}\fifo.log RPLifeInterval

  14. http://www.stevebunting.org/udpd4n6/forensics/images/eventlog.jpg

  15. • http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm • http://en.wikipedia.org/wiki/System_Restore • Windows Forensic Analysis by Harlan

    Carvey • Forensic Analysis of System Restore Points in Microsoft Windows XP by Kris Harms • http://www.mandiant.com/products/research/mandiant_restore_point_analyzer/download • Microsoft Windows Internals 4th Ed. By Mark Russinovich and David Soloman