Accessing these files can provide not just historical data (e.g., previous contents, etc.) but additional analysis can be conducted by comparing the available versions over time. Okay, so what does this mean to the forensic analyst? From an analyst’s perspective, there is a great deal of historical information within backed-up files. Windows 7 Previous Versions shell extension.
However, System Restore Points do not back up everything on a system for example, user data files are not backed up (and are therefore not restored, either), and all of the data (specifically, the passwords) in the SAM hive of the Registry are not backed up, as you wouldn’t want users to restore their systems to a previous point in time and have them not be able to access their systems, as a previous password (which they may not remember) had been restored.įigure 3.2. Users could revert the core functionality of their systems to a previous state through the System Restore functionality, effectively recovering it to a previous state.
This proved to be a useful functionality, particularly when a user installed something (application, driver, etc.) that failed to work properly, or the system became infected with malware of some kind. Windows XP System Restore Point functionality.Īs illustrated in Figure 3.1, users can not only create Restore Points, but they can also restore the computer to an earlier time.
