Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Forensic Analysis of Windows Restore Points

hiddenillusion
February 01, 2011
Technology
1
93

Forensic Analysis of Windows Restore Points

Presentation I gave in February of 2011 about Windows Restore Points

hiddenillusion

February 01, 2011
Tweet

More Decks by hiddenillusion

See All by hiddenillusion
Mo' Memory No' Problem
hiddenillusion
2
19k
What's going on out there?
hiddenillusion
2
400
Analyzing Malware with REMnux
hiddenillusion
2
1.2k

Other Decks in Technology

See All in Technology
CyberAgent 生成AI Deep Dive with Amazon Web Services / genai-aws
cyberagentdevelopers
PRO
1
480
事業者間調整の行間を読む 調整の具体事例
sugiim
0
1.6k
プロダクト成長に対応するプラットフォーム戦略:Authleteによる共通認証基盤の移行事例 / Building an authentication platform using Authlete and AWS
kakehashi
1
160
急成長中のWINTICKETにおける品質と開発スピードと向き合ったQA戦略と今後の展望 / winticket-autify
cyberagentdevelopers
PRO
1
160
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
国土交通省 データコンペ参加者向け勉強会
takehikohashimoto
0
150
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
Forget efficiency – Become more productive without the stress
ufried
0
150
顧客が本当に必要だったもの - パフォーマンス改善編 / Make what is needed
soudai
24
6.8k
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
3.5k
わたしとトラックポイント / TrackPoint tips
masahirokawahara
1
240
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
150
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Typedesign – Prime Four
hannesfritz
39
2.4k
Become a Pro
speakerdeck
PRO
24
5k
Music & Morning Musume
bryan
46
6.1k
BBQ
matthewcrist
85
9.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
14
1.9k
Navigating Team Friction
lara
183
14k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Testing 201, or: Great Expectations
jmmastey
38
7k

Transcript

  1. By: Glenn P. Edwards Jr. @hiddenillusion

  2.  “It provides a way to restore a system to

    a previously known good point that would otherwise require you to reinstall an application or even the entire operating system.” http://csit.udc.edu/~byu/UDC3529315/WindowsInternals-4e.pdf

  3.  Windows ME  Windows XP  Windows Vista 

    Windows 7 * Windows Server 2003 isn’t supported but can also have it installed.

  4.  Windows 2000  Windows Server 2008  FAT/FAT32 systems

     System Restore requires shadow copies.

  5.  Critical system files  Registry hives  Local profiles

    (not roaming)  WMI database  COM+ database  Windows File Protection DLL cache  ISS metabase file (If ISS is installed)  Files listed as include in the Monitored File Extensions list
  6. None

  7.  DRM settings  SAM hive*  WPA settings 

    User-created data stored in the user profile  Contents of redirected folders  HKLM\Software\WOW6432Node  Any file with an extension not listed in the Monitored File Extensions list

  8.  Every 24 hours  Certain software installations  Windows

    Update  When the user requests it  Unsigned driver installations http://www.mydigitallife.info/wp-content/uploads/2007/12/unsigned-driver-install.jpg

  9. %SystemRoot%\System Volume Information\_restore{XX-XXX-XXX } http://xpdrivers.com/wp-content/uploads/012111_0904_WindowsXPCr9.png

  10. None

  11. rp.log http://www.stevebunting.org/udpd4n6/forensics/registryhivefiles.jpg Registry hive files

  12. http://www.stevebunting.org/udpd4n6/forensics/filesrenamed.jpg change.log.x

  13. SYSTEM\Controlset00X\Control\BackupRestore HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore AsrKeysNotToRestor e FilesNotToBackup KeysNotToRestore DisableSR %SystemRoot%\System Volume

    Information\_restore{GUID}\fifo.log RPLifeInterval

  14. http://www.stevebunting.org/udpd4n6/forensics/images/eventlog.jpg

  15. • http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm • http://en.wikipedia.org/wiki/System_Restore • Windows Forensic Analysis by Harlan

    Carvey • Forensic Analysis of System Restore Points in Microsoft Windows XP by Kris Harms • http://www.mandiant.com/products/research/mandiant_restore_point_analyzer/download • Microsoft Windows Internals 4th Ed. By Mark Russinovich and David Soloman