System Restore Active by Default

Snuffy · 01-01-2008, 09:19 AM

System Restore Analyzer
Yesterday, December 31, 2007,
System Restore is a function in Windows operating systems since Windows ME that creates so called Restore Points so that the user can bring his system back to a previous state in time. This is important when changes to the system or an attack make the system unresponsive in any way. There is however the danger that malicious files are saved during that process as well which means that they would be restored when the user wanted to revert the system to a previous state.

System Restore Points are created when several events trigger. Those are for example the initial booting of the system, before program installations and every 24 hours of uptime. System Restore is enabled by default.

Restore Point Analyzer is a forensic tool that can determine the original paths and file names of files stored inside restore points. It has been created by the company Mandiant and was used by one of their forensic experts to determine if a client’s notebook had been compromised.

A simple xml file in C:\WINDOWS\system32\Restore called filelist.xml is responsible for file inclusions and exclusions and it is immanent to check if this file has been altered in any way. The best way to do this is to make a copy of the file when System Restore is activated for the first time. You can then use a simple File Comparison tool like Winmerge to compare both files.

Restore Point Analyzer helps in determining when a file was added to System Restore, it’s name and location on the system. This gives the analyst excellent information if the intruder was clever enough to delete the files that he did use to gain access to a computer.

The software can list all of the files in a System Restore directory. Unfortunately though those files are not listed with their original name but with a seemingly random name. The file change.log keeps record of those changes and can be consulted to find out the new file name of the file that you are looking for.

I suggest you read the excellent White Paper that is available on the Mandiant website as well to receive further information on the process.

**CrowdAds** · [Remove Advertisement]

01-10-2009, 04:58 PM

Hey, you have a great view here! I'm definitely going to bookmark you!.___________________________________________________________________Guild Wars Gold EVE ISK EQ2 Gold

01-01-2008, 09:19 AM	#1
Snuffy Elite Members Join Date: Nov 2006 Location: S.W. Kansas Posts: 2,841	System Restore Active by Default System Restore Analyzer Yesterday, December 31, 2007, System Restore is a function in Windows operating systems since Windows ME that creates so called Restore Points so that the user can bring his system back to a previous state in time. This is important when changes to the system or an attack make the system unresponsive in any way. There is however the danger that malicious files are saved during that process as well which means that they would be restored when the user wanted to revert the system to a previous state. System Restore Points are created when several events trigger. Those are for example the initial booting of the system, before program installations and every 24 hours of uptime. System Restore is enabled by default. Restore Point Analyzer is a forensic tool that can determine the original paths and file names of files stored inside restore points. It has been created by the company Mandiant and was used by one of their forensic experts to determine if a client’s notebook had been compromised. A simple xml file in C:\WINDOWS\system32\Restore called filelist.xml is responsible for file inclusions and exclusions and it is immanent to check if this file has been altered in any way. The best way to do this is to make a copy of the file when System Restore is activated for the first time. You can then use a simple File Comparison tool like Winmerge to compare both files. Restore Point Analyzer helps in determining when a file was added to System Restore, it’s name and location on the system. This gives the analyst excellent information if the intruder was clever enough to delete the files that he did use to gain access to a computer. The software can list all of the files in a System Restore directory. Unfortunately though those files are not listed with their original name but with a seemingly random name. The file change.log keeps record of those changes and can be consulted to find out the new file name of the file that you are looking for. I suggest you read the excellent White Paper that is available on the Mandiant website as well to receive further information on the process. __________________ [COLOR="DarkRed"]The only Stupid Question is the one you failed to Ask![/color] [COLOR="Blue"]Beta Tester since Pre Win 95.[/COLOR]
(Offline)

01-10-2009, 04:58 PM	#2
vg335258 Guest Posts: n/a	Hey, you have a great view here! I'm definitely going to bookmark you!. Hey, you have a great view here! I'm definitely going to bookmark you!.___________________________________________________________________Guild Wars Gold EVE ISK EQ2 Gold

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode