System Restore is a function in the Windows operating systems since Windows ME that creates so called Restore Points so that users can go back to a previous state of the system.
This is important when changes to the system or an attack make the system unresponsive in a way or another. In recent versions of Windows, restore points are created automatically on certain operations such as Windows Updates.
There is however the danger that malicious files are saved during that process as well which means that they would be restored when the user wants to revert the system to a previous state.
System Restore Points are created when several events trigger. Those are for example the initial booting of the system, before program installations and every 24 hours of uptime. System Restore is enabled by default.
Restore Point Analyzer is a forensic tool that can determine the original paths and file names of files stored inside restore points. It has been created by the company Mandiant and was used by one of their forensic experts to determine if a client's notebook had been compromised.
A simple xml file in C:\WINDOWS\system32\Restore called filelist.xml is responsible for file inclusions and exclusions and it is immanent to check if this file has been altered in any way. The best way to do this is to make a copy of the file when System Restore is activated for the first time. You can then use a simple File Comparison tool like Winmerge to compare both files.
Restore Point Analyzer helps in determining when a file was added to System Restore, it's name and location on the system. This gives the analyst excellent information if the intruder was clever enough to delete the files that he did use to gain access to a computer.
The software can list all of the files in a System Restore directory. Unfortunately though those files are not listed with their original name but with a seemingly random name. The file change.log keeps record of those changes and can be consulted to find out the new file name of the file that you are looking for.
I suggest you read the excellent White Paper that is available on the Mandiant website as well to receive further information on the process.
Update: Mandiant has been acquired by FireEye. It appears that Restore Point Analyzer has been abandoned by the company. We have uploaded the most recent version of the program to our own server. Click on the following link to download it: RestorePointAnalyzerSetup.zip
Note that we don't support it in any way.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.