Windows XP Restore Points

I know XP is going the way of the Dodo, which is why I wanted to write this post. As blogs and posts update and keep up with the latest versions of Windows I find it harder and harder to get information on legacy systems. Also as XP goes away I will most likely forget this, and as this blog is for my reference too…. why not 🙂

When are Restore Points created?

Restore Points are created each day (providing the system is on obviously, it doesn’t work in o-f-f mode), or when a significant system change occurs, for example a Service Pack or patch update.

Restore Points can also be created if an application that is Restore Point aware is installed.

Finally a Restore Point can be created manually by the user.

Where are they stored?

c:\System Volume Information

(I am sure it could be another drive instead of c:, but I am keeping this simple, if there isn’t a C drive but there is a Q drive…. look there)

The System Volume Information folder is limited to SYSTEM level access, this is why even the administrator can expect to see ‘access denied’ when attempting to open the folder. Luckily for us mounting the image in a forensic program sorts these minor issues out!

Under the System Volume Information folder there is an _restore{GUID} folder and underneath that are the Restore Point folders named RP## (where ## = a sequential number)

Finally there is a ‘Snapshot’ sub folder in each RP## folder.

What is in these and how are they useful?

Files stored in the RP## folders are backed up files, complete with a log to  tell you why they were backed up (change.log). An file starting with an ‘A’ followed by a sting of numbers and ending in a normal looking file extension are the files which were backed up

  • A0024567.doc
  • A0024568.exe
  • A0024569.dll
  • change.log

In the ‘snapshot’ subfolder you will find a copy of all of the Registry hives plus NTUser.dat and Usrclass.dat for every user profile which existed at the time of the Restore Point creation.

Finally you can also expect to find an rp.log file

Why is this useful? Well, the Restore Point can be allocated up to 12% of the disk, which can be quite a significant amount of space! Within these Restore Points is a snapshot in time. If you suspect evidence has been destroyed try looking here and maybe you will get lucky.

Volume Shadow Copy replaces Restore Points in Vista onwards, but that is another blog post 🙂

Wait, what about the change.log file?

Ah yes, let us not forget about this little badger. Mandiant used to provide a ‘Restore Point Analyzer’ however it is no longer listed on their community tools site. I suspect it is because the tool shouldn’t be required any more. If you have a copy of the tool, keep it safe, if not, it is possible to view the change.log file in a hex editor.

The change.log file will tell you exactly what the A0024567doc or A0024568.exe used to be called and where they were stored when the Restore Point was created.

When was the Restore Point created?

The rp.log file in each RP## folder contains a timestamp for the creation of that Restore Point. If you open the rp.log file in a Hex editor and look at the last 8 bytes; that is a 64-bit hex time stamp (little endian) use a tool like Dcode Time to decode the time stamp

What about servers?

Servers do not use Restore Points. Server 2003 has Volume Shadow Copy, but it is disabled by default. Volume Shadow Copy and servers will be covered in a later topic

Only a short post this time, but still a very valuable resource to keep tucked away! I will cover Volume Shadow Copies soon, also I am planning to look at some disk carving tools. Stay Tuned 🙂

(Using ‘an’ before a non-vowel; like “an RP.log file”. Recently I saw someone arguing against the case of using “an” before non-vowels. So just in case that person is reading this…. read this)

This entry was posted in Introduction, Windows Forensics, Windows Registry Forensics, Windows XP and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s