Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
hi will come after the curse in this family, where election there stop points and windows, which center forensic essential. We have analyzed the creation process. Some of the contents on work the sisters. Two points are now. Let's see some Zafira structure off the system. Restore.
00:19
This is the involving information directory can be found at the root off all expert systems. Rice regardless off the state's off the system. Restore
00:28
on a really system. This directory on its content are restricted to the system level access by the fold,
00:36
but it should be known that constellation of the day it's possible by simply changing the rights off the file to include administrator or use early relaxes.
00:45
Underscore her store for by a system identifier recites inside the system for the information directory.
00:55
This directory exist on Lee Wen system Restore monitoring is enabled and contents the least off musically interesting points. Their store point folders are appropriately named R P, followed by numbers sequentially Assigned folders.
01:10
This directory also contains Underscore fireplace that C. F G, which is a binary file that contains the list off the monitor extensions on excluded. The director's found in fire least that XML that was mentioned in the previous video.
01:29
The RPI directory is this tourist location for all monitor fights that change between the creation time off their star points on the creation time off the pre uses to a point.
01:40
The system store process copies New and Change five matching the including the stations in tow. This directory are insisting on example of the naming convention used is presented in this light.
01:53
The numbers increments by one as five are added to the recital point. The fun extension are kept the same
02:01
A lot off this fires on their little names, a location from which they were copied are kept in a chance that look file in this directory as well.
02:13
That's not Show Directory is a sub folder in the RPI directory here. You will find a sad copies off the race three at the time of the Restore Point creation,
02:24
The change log is the trucking depository for all five faith through the restore process.
02:30
The information contained in the file includes the files original location in the system, the original name off. The fight on the name of the father has been changed.
02:40
The difficulty lies in retrieving this information in a usable format. The files stored in a vinyl reformat and can be spread across ever changed that log fais for one crystal pulled.
02:54
So finally one which has the formation you're looking for a cumbia tedious task.
03:00
The data is most easily readable in a hex view. Over
03:07
they're several configuration options available to change the Ustashe office Tower Point
03:12
This are stored in their history on their h your local machine. So far, Microsoft Windows NT CORRINE version system restored.
03:22
Disc E contains some case such as this able as hard that will allow the user to turn off system Stone.
03:30
I don't know enough systems. Start monitoring will remove the system's two points from the logical five. Sister
03:37
creates this from RP. That term is we're not honest, Open created where system story is told on for the first time.
03:45
6% is the percentage of this space it megabytes allocated to system store.
03:51
The S packs is the maximum allowed. The space system restore uses the larger off. The two,
03:58
this mean, is the minimum amount off this space in megabytes required for the system of store tow. Runny sister stars in the case where the last store processed phase
04:11
by default trust on point size is limited to 12% off the dry space on DR Larger done for gigabytes on dhe for 100 megabytes on DR smaller 1000.4 gigabytes,
04:25
five is further limited by the amount of free space on the drive. Give you priority to the system nor to restore points *** restore points feel 90% off the order. 12% right Space Systems store will delete Risto points on a first in first out basis
04:45
until on lee, 75% off the 12%
04:48
allocated. Dr Space is used
04:51
This configuration conditions in the G Why application mention or in the race street?
04:59
Okay, who's the quick question for you?
05:01
With some key off the system restore Qi will allow the user Toto off system restore
05:08
You think it's a disabled as our or be create first run RP or maybe see x percent or the store status.
05:18
If you said a you're correct,
05:20
Turn it off. System stole monetary we remove This is terrorist all points front A logical fire system.
05:29
In this morning, we have analyzed another of the wheel for a sick essentials. They're still points, which are meant to provide the user opportunity to restore critical operating system on application. Five. Doing a crash or crisis
05:44
for a people standing on more information, please check the references of supplementary material on in the next morning will be analyzing their cycle. Being as a forensic essential the definition why it is important on how to find it.

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor