Vista Restore Point...
 
Notifications
Clear all

Vista Restore Points

11 Posts
7 Users
0 Reactions
709 Views
sheona_17dec
(@sheona_17dec)
Active Member
Joined: 17 years ago
Posts: 19
Topic starter  

Does anyone know of a tool or EnScript that will interpret restore points on a Vista OS?

I recovered a notable image through an image header search and I need to establish the original path and file details.

I know there is an EnScript for XP and I have rolled back the EnCase image using VM-Ware but once it's rolled back it's a bit of a needle in a haystack.

Can anyone help please?


   
Quote
(@mobileforensicswales)
Reputable Member
Joined: 17 years ago
Posts: 274
 

http//www.theregister.co.uk/2010/06/30/shadow_analyser_digital_forensics/

shadow explorer - http//www.shadowexplorer.com/

Is that ok?


   
ReplyQuote
sheona_17dec
(@sheona_17dec)
Active Member
Joined: 17 years ago
Posts: 19
Topic starter  

Sorry I should have clarified that my forensic machine is running XP but the suspect machine being investigated is Vista and therefore Shadow Explorer doesn't work.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Restore Points or Volume Shadow Copies?


   
ReplyQuote
ehuber
(@ehuber)
Trusted Member
Joined: 17 years ago
Posts: 91
 

This doesn't do you any good at the moment, but Mark McKinnon and Lee Whitfield will be releasing Shadow Analyzer relatively soon, I think. There was an article in The Register on it not that long ago.

Full disclosure in that I'm friends with both the authors and I'm doing some beta testing on the product, but I'm confident this is going to be a great tool.

Now as far as your immediate need…it's a bit involved compared to having a nice tool that does a lot of this work for you, but we're forensicators so we have to improvise, adapt and overcome all the time. Rob Lee has written several articles over at the SANS Forensic Blog on how to get this done.


   
ReplyQuote
Chris_Ed
(@chris_ed)
Reputable Member
Joined: 16 years ago
Posts: 314
 

Restore Points or Volume Shadow Copies?

Does anyone know of a tool or EnScript that will interpret restore points on a Vista OS?

Just to be clear here, I think she is asking about Restore Points, not Volume Shadow Copies.


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

As Rob Lee has pointed out, your approach should be building a time line when doing snapshot/restore point/shadow copies analysis.With the the way most OS's are configured now and increased use of VMs this is going to be an important technique as snapshots are inherent to most of these builds.

Do also check out Lee Whitfield's blog on the subject
http//forensic4cast.com/2010/04/19/into-the-shadows/

And Lance Mullers EnScript
http//www.forensickb.com/2007/11/vista-system-restore-point-information.html


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

Sorry I should have clarified that my forensic machine is running XP but the suspect machine being investigated is Vista and therefore Shadow Explorer doesn't work.

Can you create a bootable VM of the suspect disk image and use Shadow Explorer in that?


   
ReplyQuote
sheona_17dec
(@sheona_17dec)
Active Member
Joined: 17 years ago
Posts: 19
Topic starter  

I'm to give that a try in the morning and see what the outcome is. Put the exe onto a USB stick and go from there. Thanks for the suggestion.


   
ReplyQuote
(@dficsi)
Reputable Member
Joined: 19 years ago
Posts: 283
 

Restore Points or Volume Shadow Copies?

Does anyone know of a tool or EnScript that will interpret restore points on a Vista OS?

Just to be clear here, I think she is asking about Restore Points, not Volume Shadow Copies.

Er… Volume Shadow Copies (difference files) ARE the restore points in Windows Vista.


   
ReplyQuote
Page 1 / 2
Share: