Restore Point Forensics

Notes for the Forensic Processing of Windows XP Restore Points

System Restore Information

Note:  All screenshots on this page may be viewed in a separate window (enlarged) by clicking on them!

 
Return to Main Forensics Help Page

 


Beginning with Windows ME & XP, Windows started a process of creating "Restore Points".  These restore points are contained in numbered folders in the folder:

\System Volume Information\-restore{GUID}\RP##  (where ## are sequential numbers as restore points are created)

Notes: 

bulletThe user can't access folders and files below "\System Volume Information" using the explorer interface using the default ACL permissions
bulletThis is true even if using administrator rights and with hidden / system files set to be visible
bulletThis condition makes it very difficult for the average user to access, manipulate, or delete these files!

 

The purpose of these restore points is to allow the user to recover to a specific point in time on which a restore point was created. 

The typical user interface is located at Start > Program Files > Accessories > System Tools > System Restore. 

From this interface (shown below), the user may create restore points or recover to specific dates and times.

System Restore Point settings are found in the following registry key:

bullet
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore

Restore points are created, by default, every 24 hrs (XP)  as set in the following value:

bullet
Value Name: RPGlobalInterval  Dword Data = 86400  (seconds - 24 hrs = 86,400 seconds)
bullet
Note: ME is every 10 hours of computer use or 24 hours of calendar time!
Restore points are retained, by default, for 90 days, as set in  the following value:
bullet
Value Name: RPLifeInterval  Dword Data = 7776000 (seconds - 90 days = 7,776,000 seconds)
bullet
Note:  As System Restore is limited to 12% of your system hard drive, this can be more limiting than 90 day limit
System Restore points may be disabled, as set in  the following value:
bullet
Value Name: DisableSR  Dword Data = 0 ( default & means System Restore enabled - if 1 user has disabled System Restore)
bullet
Note: If system drive has less than 200 MB of free space, System Restore will automatically disable
As restore points are deleted, it is done by a "first in first out" basis.  This deletion process is tracked by a file in the root of folder 
\System Volume Information\-restore{GUID}\ named fifo.log.  This file is a plain text file, listing:
bullet
Dates / times of deletions
bullet
Restore Points deleted
Regarding restore point names:
bullet
When restore points are created on schedule (default = 24 hours), they are named "System CheckPoint".  This name appears in the user interface.
bullet
The restore point "name" is stored and pulled from the file "rp.log" found in the root of its "RP##" folder.
bullet
The restore point name is stored starting at byte offset 16 of the "rp.log" file.
bullet
If software is installed, a restore point is often created.
bullet
The name of the software installed is the name of the restore point and can be see in the user interface above.
bullet
A user can manually create restore points and the user provided name is stored in this same location.
bullet
The last 8 bytes of the rp.log file is a Windows 64 bit timestamp indicating when the restore point was created.
bullet
Note: Restore points are also created prior to the installation of any Windows Automatic Updates.
bullet
Note: Restore points are also created prior to the installation of software or unsigned device drivers and will be so named.
 
Restore point files are created as "snapshots" of the files necessary to restore a system to a given point.  Regarding those files:
bullet
Files other than registry files are stored in root of folder "RP##" and renamed.  They appear as A#######.ext
bullet
The "#######" are numerics and the "ext" represents the original extension, which remains unchanged.
bullet
These renamed files are tracked in the "change.log" files.  Search for the file name of interest and original path precedes file.
 
 
Restore point snapshots capture the registry hive files.  The following apply:
bullet
They are stored in a subfolder under the "RP##" folder, named "Snapshot"
bullet
The file MAC times indicate time RP created / last written
bullet
Original hive file names have been modified using prefixes:
bullet
_REGISTRY_MACHINE_  for machine level registry hive files
bullet
_REGISTRY_USER_ for user level registry hive files and suffixed with the user's SID
bullet
In EnCase, mount any of these hive files by right clicking on them and choosing "View File Structure"
bullet
Use EnCase 5 conditions and queries to quickly locate registry hive files, both regular and restore point versions
bullet
Import this condition into EnCase 5  conditions to find restore point registry files
bullet
Import this query into EnCase 5  queries to find both regular and restore point hive files (depends on prior condition to work!)
 
bullet 
Those of you using Access Data's Registry Viewer will be pleased to know that it opens restore point registries as they are named.

 
 

System Restore Information

The question is often asked, "If I create a restore point, install software, do a bad deed, and then restore the system to the original state, is the evidence of the software installation gone?"  The answer is yes and no!  The answer is "Yes" if you are looking at the current mounted registry for the information.  The answer is "No" if you are looking at the registry within a specific restore point.

When a system is restored using "System Restore", before reverting back to the chosen restore point, system restore creates yet another restore point capturing a snapshot of the system before the system restore.  This restore point will be named "Restore Operation", which can be found at byte offset 2 in the "rp.log" file.  It is this restore point that will contain the software binaries and the registry information as it was at the time of the "bad deed". 

If you know when the bad deed occurred, you could go directly to the restore points created around that time.  If you had no idea when or if such an event occurred, you could search all "rp.log" files for the string "Restore Operation".  Once found, simply mount the registry files and begin your examination.  Remember to look for the renamed program binaries as well.

Another forensic bonus lies in the fact that "system restorals" are recorded in the Windows event logs.  For those of you who think that because Windows XP logging is dismal out of the box, guess again because certain events are recorded regardless, with system restorals being such an item.  The event record will be found in the system event log file and will appear as event id "110".  Thus you could filter your system event log files for event id "110" and determine when the system was restored.
 

 

This web site was created to provide assistance to computer forensics examiners engaging in cyber-crime investigations.  This field is rapidly evolving and changing as technology marches forward.  It is, therefore, intended to be a growing and evolving resource.  As you conduct your examinations and investigations, if you encounter information, links, or have suggestions that would help others, please let me know so I can add it to this site.  My email address is sbunting@udel.edu .  Thank you.

This site created and maintained by: 
Steve Bunting
Email: sbunting@udel.edu