Greetings,
I am searching for detailed information on the purpose and structure of the OBJECTS.DATA file, located in restore points (RPx) folders. After spending the better part of several days searching, the most informative source I have discovered exists in one line at the following Technet URL
My interest in this particular file has its origins in an examination I performed. In the exam, I searched for particular artifacts (executable files) and discovered detailed information such as name, path, hash, last run time, author, user, and product language embedded within the OBJECTS.DATA. While some of the actual artifacts did not exist on the system, the trail in this file provided excellent "fingerprinting" which I could use to flesh out a timeline analysis and reach other relevant conclusions. I have noticed in this and other examinations that the existence of these fingerprints seem to coincide with the presence of Client Configuratin Manager (CCM).
My goal is to gather the details (purpose, structure, OS interaction) of this file and provide a correlation as to when it might be a useful source of forensic artifacts. If anyone can offer assistance or guidance, I'd be grateful.
Thank you, in advance.
Anyone?
Bueller?….Bueller?
Welcome to the forensic community!
I haven't had an XP system to look at in quite some time, so I'd have to go back and find an image, see if it has the data you're referring to, and then take a look at the data. It might be helpful if you had something you could share.
Also, have you reached to anyone at Microsoft? If so, what did you find?
Okay, digging around a bit on Google, I found some things that may be of use to understanding, albeit not parsing, the objects.data file….
This file appears to be a CIM repository, associated with WMI
http//
Thanks for the link (and stepping up to the plate), Harlan. I will take a close look at the info.