Notifications
Clear all

System Restore  

  RSS
Christ143uk
(@christ143uk)
Junior Member

Hi,

I am working on a job where it is believed a user has conducted a system restore at some point prior to January 2016.

The OS is Windows 10 and I cannot VM the device.

My question is where might I find evidence that a system restore has been conducted?

Is there a particular Event ID to look for in logs? (if they go back this far)

If I were to boot up the computer should it tell me in system restore that I can "undo"/rollback the system restore if one has been done?

I will also be looking into system refresh/reset as there is some evidence this may have been used.

Thanks

Quote
Posted : 19/10/2016 4:15 pm
Share: