Restore Point Forensics Notes for the Forensic Processing of Windows XP Restore Points

Beginning with Windows ME & XP, Windows started a process of creating "Restore Points".  These restore points are contained in numbered folders in the folder: \System Volume Information\-restore{GUID}\RP##  (where ## are sequential numbers as restore points are created) Notes:  The user can't access folders and files below "\System Volume Information" using the explorer interface using the default ACL permissions This is true even if using administrator rights and with hidden / system files set to be visible This condition makes it very difficult for the average user to access, manipulate, or delete these files!   The purpose of these restore points is to allow the user to recover to a specific point in time on which a restore point was created.  The typical user interface is located at Start > Program Files > Accessories > System Tools > System Restore.  From this interface (shown below), the user may create restore points or recover to specific dates and times. System Restore Point settings are found in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore Restore points are created, by default, every 24 hrs (XP)  as set in the following value: Value Name: RPGlobalInterval Dword Data = 86400 (seconds - 24 hrs = 86,400 seconds) Note: ME is every 10 hours of computer use or 24 hours of calendar time! Restore points are retained, by default, for 90 days, as set in the following value: Value Name: RPLifeInterval Dword Data = 7776000 (seconds - 90 days = 7,776,000 seconds) Note: As System Restore is limited to 12% of your system hard drive, this can be more limiting than 90 day limit System Restore points may be disabled, as set in the following value: Value Name: DisableSR Dword Data = 0 ( default & means System Restore enabled - if 1 user has disabled System Restore) Note: If system drive has less than 200 MB of free space, System Restore will automatically disable As restore points are deleted, it is done by a "first in first out" basis. This deletion process is tracked by a file in the root of folder \System Volume Information\-restore{GUID}\ named fifo.log. This file is a plain text file, listing: Dates / times of deletions Restore Points deleted Regarding restore point names: When restore points are created on schedule (default = 24 hours), they are named "System CheckPoint". This name appears in the user interface. The restore point "name" is stored and pulled from the file "rp.log" found in the root of its "RP##" folder. The restore point name is stored starting at byte offset 16 of the "rp.log" file. If software is installed, a restore point is often created. The name of the software installed is the name of the restore point and can be see in the user interface above. A user can manually create restore points and the user provided name is stored in this same location. The last 8 bytes of the rp.log file is a Windows 64 bit timestamp indicating when the restore point was created. Note: Restore points are also created prior to the installation of any Windows Automatic Updates. Note: Restore points are also created prior to the installation of software or unsigned device drivers and will be so named.   Restore point files are created as "snapshots" of the files necessary to restore a system to a given point. Regarding those files: Files other than registry files are stored in root of folder "RP##" and renamed. They appear as A#######.ext The "#######" are numerics and the "ext" represents the original extension, which remains unchanged. These renamed files are tracked in the "change.log" files. Search for the file name of interest and original path precedes file.     Restore point snapshots capture the registry hive files. The following apply: They are stored in a subfolder under the "RP##" folder, named "Snapshot" The file MAC times indicate time RP created / last written Original hive file names have been modified using prefixes: _REGISTRY_MACHINE_ for machine level registry hive files _REGISTRY_USER_ for user level registry hive files and suffixed with the user's SID In EnCase, mount any of these hive files by right clicking on them and choosing "View File Structure" Use EnCase 5 conditions and queries to quickly locate registry hive files, both regular and restore point versions Import this condition into EnCase 5 conditions to find restore point registry files Import this query into EnCase 5 queries to find both regular and restore point hive files (depends on prior condition to work!)   Those of you using Access Data's Registry Viewer will be pleased to know that it opens restore point registries as they are named.

System Restore Information The question is often asked, "If I create a restore point, install software, do a bad deed, and then restore the system to the original state, is the evidence of the software installation gone?"  The answer is yes and no!  The answer is "Yes" if you are looking at the current mounted registry for the information.  The answer is "No" if you are looking at the registry within a specific restore point. When a system is restored using "System Restore", before reverting back to the chosen restore point, system restore creates yet another restore point capturing a snapshot of the system before the system restore.  This restore point will be named "Restore Operation", which can be found at byte offset 2 in the "rp.log" file.  It is this restore point that will contain the software binaries and the registry information as it was at the time of the "bad deed".  If you know when the bad deed occurred, you could go directly to the restore points created around that time.  If you had no idea when or if such an event occurred, you could search all "rp.log" files for the string "Restore Operation".  Once found, simply mount the registry files and begin your examination.  Remember to look for the renamed program binaries as well. Another forensic bonus lies in the fact that "system restorals" are recorded in the Windows event logs.  For those of you who think that because Windows XP logging is dismal out of the box, guess again because certain events are recorded regardless, with system restorals being such an item.  The event record will be found in the system event log file and will appear as event id "110".  Thus you could filter your system event log files for event id "110" and determine when the system was restored.