The description of the restore point is a null-terminated Unicode string that starts at offset 16 (0×10) within the file, and the creation date/time is the 8-byte (QWORD) value located at offset 528 (0×210) within the file. You can run the Perl script sr.pl on a live system to collect information about restore points.
The script implements the SystemRestore Windows Management Instrumentation (WMI) class to access the RestorePointType, Description, and CreationTime values for each restore point and display them to the user. The Perl script (located on the accompanying DVD) is a ProScript that you can use with ProDiscover to retrieve information from the rp.log files located in the restore point directories of an image of a Windows XP system (that is open in ProDiscover). The script opens the rp.log file within each directory and retrieves the description of the restore point and the date that the restore point was created. The description for the restore point can be useful to the investigator, particularly if he’s looking for information regarding the installation or removal of an application. System restore points will be created when applications and unsigned drivers are installed, when a Windows AutoUpdate installation is performed, and when a restore operation is performed. #Prodiscover basic download 64 bit drivers Restore points can also be created manually. When a restore point is created, a description of the event that caused the restore point creation is written to the rp.log file. Many times, you’ll see the description System Checkpoint, which is the restore point that is created by Windows XP every 24 hours (default setting). The description Software Distribution Service refers to Windows Updates being installed. #Prodiscover basic download 64 bit software I’ve also seen descriptions such as Installed QuickTime, Removed ProDiscover 4.8a, and Installed Windows Media Player 11 on systems. The description might tell the investigator the date that a particular application was installed or removed.
#Prodiscover basic download 64 bit series.#Prodiscover basic download 64 bit software.#Prodiscover basic download 64 bit driver.
0 kommentar(er)
