Difference between revisions of "Windows Restore Points"

From ForensicsWiki
Jump to: navigation, search
 
Line 25: Line 25:
 
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]], June 16, 2007
 
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]], June 16, 2007
 
* [http://www.swiftforensics.com/2012/03/enscript-tutorial-1-parse-xp-system.html Enscript Tutorial 1 - Parse XP System Restore Logs], by Yogesh Khatri, March 2, 2012
 
* [http://www.swiftforensics.com/2012/03/enscript-tutorial-1-parse-xp-system.html Enscript Tutorial 1 - Parse XP System Restore Logs], by Yogesh Khatri, March 2, 2012
* [https://github.com/libyal/assorted/blob/master/documentation/Restore%20point%20formats.asciidoc The Windows Restore Point formats], by [[Joachim Metz]], April 2015
+
* [https://github.com/libyal/dtformats/blob/master/documentation/Restore%20point%20formats.asciidoc The Windows Restore Point formats], by [[Joachim Metz]], April 2015
  
 
== Tools ==
 
== Tools ==

Latest revision as of 05:31, 14 August 2017

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

On Windows XP the Restore Points can be found in:

C:\System Volume Information\_restore{%GUID%}\

Where %GUID% is the machine GUID, for which the Restore Point was created.

This directory contains:

  • fifo.log; Restore Point deletion information
  • Restore Point data sub directories, named 'RP[1-9][0-9]*', e.g. 'RP1'

A Restore Point data sub directory contains:

  • change.log or change.log.[1-9];
  • rp.log; restore point information log file

External Links

Tools