±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36783
New Yesterday: 2 Visitors: 114

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

System Restore

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


System Restore

Post Posted: Oct 19, 16 15:15


I am working on a job where it is believed a user has conducted a system restore at some point prior to January 2016.

The OS is Windows 10 and I cannot VM the device.

My question is where might I find evidence that a system restore has been conducted?

Is there a particular Event ID to look for in logs? (if they go back this far)

If I were to boot up the computer should it tell me in system restore that I can "undo"/rollback the system restore if one has been done?

I will also be looking into system refresh/reset as there is some evidence this may have been used.


Page 1 of 1