Windows restore points
On Windows XP the Restore Points can be found in:
C:\System Volume Information_restore{%GUID%}\
Where %GUID% is the machine GUID, for which the Restore Point was created.
This directory contains:
- fifo.log; Restore Point deletion information
- Restore Point data sub directories, named 'RP[1-9][0-9]*', e.g. 'RP1'
A Restore Point data sub directory contains:
- change.log or change.log.[1-9];
- rp.log; restore point information log file
External Links
- Wikipedia: System Restore
- MSDN: Legacy System Restore Reference
- Restore Point Forensics, by Steve Bunting
- Restore Point Forensics, by Harlan Carvey, October 20, 2006
- Restore Point Analysis, by Harlan Carvey, June 16, 2007
- Enscript Tutorial 1 - Parse XP System Restore Logs, by Yogesh Khatri, March 2, 2012
- The Windows Restore Point formats, by Joachim Metz, April 2015
Tools
- Plaso as of version 1.3.0 has support for rp.log
- rp_change_log.py, tool to analyze the change.log files