Forensic Analysis of Windows Restore Points

Slide 1

Slide 1 text

By: Glenn P. Edwards Jr. @hiddenillusion

Slide 2

Slide 2 text

 “It provides a way to restore a system to a previously known good point that would otherwise require you to reinstall an application or even the entire operating system.” http://csit.udc.edu/~byu/UDC3529315/WindowsInternals-4e.pdf

Slide 3

Slide 3 text

 Windows ME  Windows XP  Windows Vista  Windows 7 * Windows Server 2003 isn’t supported but can also have it installed.

Slide 4

Slide 4 text

 Windows 2000  Windows Server 2008  FAT/FAT32 systems  System Restore requires shadow copies.

Slide 5

Slide 5 text

 Critical system files  Registry hives  Local profiles (not roaming)  WMI database  COM+ database  Windows File Protection DLL cache  ISS metabase file (If ISS is installed)  Files listed as include in the Monitored File Extensions list

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

 DRM settings  SAM hive*  WPA settings  User-created data stored in the user profile  Contents of redirected folders  HKLM\Software\WOW6432Node  Any file with an extension not listed in the Monitored File Extensions list

Slide 8

Slide 8 text

 Every 24 hours  Certain software installations  Windows Update  When the user requests it  Unsigned driver installations http://www.mydigitallife.info/wp-content/uploads/2007/12/unsigned-driver-install.jpg

Slide 9

Slide 9 text

%SystemRoot%\System Volume Information\_restore{XX-XXX-XXX } http://xpdrivers.com/wp-content/uploads/012111_0904_WindowsXPCr9.png

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

rp.log http://www.stevebunting.org/udpd4n6/forensics/registryhivefiles.jpg Registry hive files

Slide 12

Slide 12 text

http://www.stevebunting.org/udpd4n6/forensics/filesrenamed.jpg change.log.x

Slide 13

Slide 13 text

SYSTEM\Controlset00X\Control\BackupRestore HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore AsrKeysNotToRestor e FilesNotToBackup KeysNotToRestore DisableSR %SystemRoot%\System Volume Information\_restore{GUID}\fifo.log RPLifeInterval

Slide 14

Slide 14 text

http://www.stevebunting.org/udpd4n6/forensics/images/eventlog.jpg

Slide 15

Slide 15 text

• http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm • http://en.wikipedia.org/wiki/System_Restore • Windows Forensic Analysis by Harlan Carvey • Forensic Analysis of System Restore Points in Microsoft Windows XP by Kris Harms • http://www.mandiant.com/products/research/mandiant_restore_point_analyzer/download • Microsoft Windows Internals 4th Ed. By Mark Russinovich and David Soloman