Has anyone got any information on how Windows Vista keeps tag on how and when to include a file in a restore point?
Im specifically interested in how Vista documents what files are in which restore point. I have used shadow explorer inside a VMWare image and have looked at the contents this way but ideally I would like a way to do this out of a live image.
I basically have a few image files inside the restore point files but I would like to be able to find out where in the filesystem they are/were. Im guessing page or hyber files but I cannot prove this without going through the pain of exporting these files and carving their contents.
Either way it would be a cool capability to have.
It sounds like you may be confusing System Restore with Previous Versions. System restore only monitors system files, not user-created files, and are created automatically by the OS. They can also be manually created. Previous Versions is the ability to restore a user-created file (like a Word doc) to an earlier state. It's only available in Vista Business, Enterprise, and Ultimate. Vista uses the volume shadow copy service for this feature. I don't have it in front of me, but if memory serves correctly, I think the shadow file is a system file in the etc folder. I haven't looked at one forensically yet, but I'd be interested to know what you find out.
The Previous Versions data should be stored in the "System Volume Information" folder as this is the folder used by the Shadow Copy service. Unfortunately examination of the data retained by the Shadow Copy service can be difficult due to the nature in which the data can be stored.
A method employed by the Shadow Copy service is known as Copy-on-Write. This method creates differential copies of the files stored; i.e. a full copy of the file is not made but merely a record of the differences between the original file and the modified file. These changes can then be reversed if necessary by reading out the data recorded and re-applying it to the file. Obviosuly this may hinder file carving and keyword searching techniques as the full file may not be stored.
Another shortcoming of the Previous Versions function is that a previous version is not stored every time a file is changed. The storing of a previous version only occurs once per day unless it is triggered by other applications or processes such as Windows Complete PC Backup and Restore or program installers.
It should also be noted that the Previous Versions functionality is only available to a user when they are running the Business, Enterprise or Ultimate editions of Microsoft Windows Vista. However, despite being unavailable to the user in the other editions of Vista, the Shadow Copy process is present in all versions of Vista. The service actually retains previous versions of files (and folders) even if the option of restoring them via the Previous Versions function isn't available to the user!