Difference between revisions of "Windows Restore Points"

From ForensicsWiki
Jump to: navigation, search
(Tools)
Line 29: Line 29:
 
== Tools ==
 
== Tools ==
 
* [[plaso]] as of version 1.3.0 has support for rp.log
 
* [[plaso]] as of version 1.3.0 has support for rp.log
* [https://github.com/libyal/assorted/blob/master/scripts/rp_change_log.py rp_change_log.py], tool to analyze the change.log files
+
* [https://github.com/libyal/dtformats/blob/master/scripts/rp_change_log.py rp_change_log.py], tool to analyze the change.log files
  
 
[[Category:Windows Analysis]]
 
[[Category:Windows Analysis]]

Revision as of 05:31, 14 August 2017

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

On Windows XP the Restore Points can be found in:

C:\System Volume Information\_restore{%GUID%}\

Where %GUID% is the machine GUID, for which the Restore Point was created.

This directory contains:

  • fifo.log; Restore Point deletion information
  • Restore Point data sub directories, named 'RP[1-9][0-9]*', e.g. 'RP1'

A Restore Point data sub directory contains:

  • change.log or change.log.[1-9];
  • rp.log; restore point information log file

External Links

Tools