I am working on a job where it is believed a user has conducted a system restore at some point prior to January 2016.
The OS is Windows 10 and I cannot VM the device.
My question is where might I find evidence that a system restore has been conducted?
Is there a particular Event ID to look for in logs? (if they go back this far)
If I were to boot up the computer should it tell me in system restore that I can "undo"/rollback the system restore if one has been done?
I will also be looking into system refresh/reset as there is some evidence this may have been used.