Does anyone know of a tool or EnScript that will interpret restore points on a Vista OS?
I recovered a notable image through an image header search and I need to establish the original path and file details.
I know there is an EnScript for XP and I have rolled back the EnCase image using VM-Ware but once it's rolled back it's a bit of a needle in a haystack.
Can anyone help please?
http//
shadow explorer - http//
Is that ok?
Sorry I should have clarified that my forensic machine is running XP but the suspect machine being investigated is Vista and therefore Shadow Explorer doesn't work.
Restore Points or Volume Shadow Copies?
This doesn't do you any good at the moment, but Mark McKinnon and Lee Whitfield will be releasing
Full disclosure in that I'm friends with both the authors and I'm doing some beta testing on the product, but I'm confident this is going to be a great tool.
Now as far as your immediate need…it's a bit involved compared to having a nice tool that does a lot of this work for you, but we're forensicators so we have to improvise, adapt and overcome all the time. Rob Lee has written several
Restore Points or Volume Shadow Copies?
Does anyone know of a tool or EnScript that will interpret restore points on a Vista OS?
Just to be clear here, I think she is asking about Restore Points, not Volume Shadow Copies.
As Rob Lee has pointed out, your approach should be building a time line when doing snapshot/restore point/shadow copies analysis.With the the way most OS's are configured now and increased use of VMs this is going to be an important technique as snapshots are inherent to most of these builds.
Do also check out Lee Whitfield's blog on the subject
And Lance Mullers EnScript
Sorry I should have clarified that my forensic machine is running XP but the suspect machine being investigated is Vista and therefore Shadow Explorer doesn't work.
Can you create a bootable VM of the suspect disk image and use Shadow Explorer in that?
I'm to give that a try in the morning and see what the outcome is. Put the exe onto a USB stick and go from there. Thanks for the suggestion.
Restore Points or Volume Shadow Copies?
Does anyone know of a tool or EnScript that will interpret restore points on a Vista OS?
Just to be clear here, I think she is asking about Restore Points, not Volume Shadow Copies.
Er… Volume Shadow Copies (difference files) ARE the restore points in Windows Vista.