9.1 Registry of the Past

00:01

Hello. Welcome back to the course in this most venal ice in there. Stop, oh, instant Windows on or forensic essential

00:08

Attackers are continually hiding their malicious code. Erasing the money for fights are finding new techniques to minimize the trace evidence they left behind. For instance, a seven hour scourge of you system still poised to establish an event. Timeline on Discovered. We're here on clues that can assist in understanding how our computer system has been compromised

00:27

before that. Here's oppresses my question for you.

00:30

What is the poor bus off system? Restore points? Is it a to provide an opportunity to restore the unifies doing a crash for crisis? Or be to provide an opportunity to restore critical, pretty insistent application? Fais Do Do not crash your crisis

00:45

or C to provide an opportunity to go hide heater Feist on applications during a crash or D. None off the boat,

00:53

therefore here is big. Let's see why

00:58

System restore first appeared in window screen. On was for the refined in Microsoft Windows *** be home unprofessional. The process is meant to provide the use of opportunity to restore critical operating sister on application fires, Luna crash or crisis

01:12

system. Restore motors changes to the system. I'm very supplication five on provides a simple and 1,000,000 recovery to various pointing times through the creation off restore points.

01:23

Its value can also be used in the forensic area.

01:27

The store points may contain the key piece off. Everything's to support the investigation.

01:33

But clearly overlooked

01:34

content with interest or points can be a piece off history to lift the hand for an attacker exposing called configurations look fais many times. This fights can be fined even after our terms at counter forensics, such as long wiping time or date stomping a secure deletion.

01:55

They're still point creation process is enabled by their fault. It happens automatically, so it is very likely that they can be found on a compromise. We lose that speed professional sister

02:05

system Start pulling Creation is triggered by one of the four week events. The initial boot off window six p every 34 hours off time before program installations before automatic updates before our store Polish restoration

02:21

before an unsigned driver is installed before a story in backup data you send them back up to

02:27

or monaural creation.

02:29

Why do you why it stays for the creation of management Off system still points, it can be found under star programs, access or his sister to our system restored.

02:39

This interface provides administrative control or many off the mountain activities

02:46

for you. Three. High on a specific files are copied interest or points upon creation. Not all fives are coping after a change, however. Find selection is ruled by include an exclusive statements in Finalist that XML, which is a file located in the

03:05

See Windows systems brittle

03:07

her store directory. This excellent file guides their store point creation process on big tastes, which file extension will be monitored.

03:15

Also contained in this place are the director impressions on Expressions. So it is important when your system was still points that you first check the file. It's XML for a comparison with the full values to rule. All temporary

03:31

contents most appropriate for an ongoing investigation are raised to snap shows. Five snapshots or five metal ADA

03:42

analysis of recent nuptials or the course of time can be a very fruitful peace. Off evidence on its youthful across several different types of investigations snapshots off the race. Three can show system changes such as installation of hard work, and so far,

03:58

broader configuration changes passed for changes on it or history.

04:02

That history is thus in this information, so the list is endless.

04:08

Fire snatchers are as important. An example. Files. You will find your store coils in clues. Access the less

04:15

enemies on every last lease off extensions nephews are not familiar with These five can be copied interest. All points with the attacker. No, innit? Some counter for a ticket for some techniques can be prevented by the creation of our store point, which she captures the attacker stools

04:33

before their security only start after the attack.

04:38

Fast that you will not find. The store points are usually specific files, such as dogs. BDF MPs tease

04:46

very slow fights, including Windows. Seven. Looks are also not included in the store. Points by default

04:53

find metal later or five laterally, such as the last modified less access. Unless created. Times are not out there doing the creation of systems two points.

05:02

The mark data on the file is transfer intact to the RP folder.

05:08

Metadata say they would fight can add in the creation of an event timeline on allow a bear view into the actions that have taken place on the computer

05:17

mark analysis can quickly identify five related to an incident by comparing Mac times off. No malicious fights toe unknown fais. It can show where files were little used to the system or when they were changed on helped identify a time friend off the attack.

05:36

So now we know that a six hour we loose sister point the content on how are they created in the next video? We're going to analyze the five strokes system still points, which can help on performing a forensic analysis over a machine.