Restore Point Analysis
Recently I wanted a small script to read the content of the restore point directory (C:\System Volume Information\_restore{GUID}) and read all the rp.log files that are inside the directory and print out a list of all the restorepoints, when they were taken and what the reason was.
So I wrote this script here to do that for me. I borrowed some methods from some of older scripts from Harlan Carvey. Few weeks after writing the script I saw a post from Carvey talking about timeline analysis of the system restore points, so I decided I added a support for timeline analysis. The script that I have written is pretty similar to that of Carvey’s but still differs enough for me to publish it here.
The script works in an easy manner, you still need to mount the suspected image first. This script is created and tested on a Linux box, so permissions on the mounted image are not a problem. One method of mounting the image is:
mount.ntfs-3g -o ro,loop,nodev,noexec,show_sys_files /pathtoimage/image.dd /mnt/analyze
If the image is mounted at the mount point /mnt/analyze the script can be easily run like this
cd /mnt/analyse/System\ Volume\Information/_restore....
rp_list .
The output is then something like this:
================================================================
RP Name Date
----------------------------------------------------------------
RP190 System Checkpoint Thu Oct 9 00:27:28 2008
RP191 System Checkpoint Sun Oct 12 16:41:07 2008
RP192 System Checkpoint Mon Oct 13 21:57:47 2008
RP193 System Checkpoint Sat Oct 18 01:40:42 2008
RP194 System Checkpoint Sun Oct 19 10:54:00 2008
RP195 System Checkpoint Tue Oct 21 21:40:45 2008
....
This is the default behaviour of the script. There is an option to get the output in a format that can be easily imported into a bodyfile that can be read by TSK (the Sleuthkit) according to the information found here.
rp_list -t .
0|Restore Point (RP190) - System Checkpoint|36534|16895|0|0|4096|1224712189|
1223829667|1223829667|1223512048
0|Restore Point (RP191) - System Checkpoint|36475|16895|0|0|4096|1224009368|
1223935059|1223935059|1223829667
0|Restore Point (RP192) - System Checkpoint|34410|16895|0|0|8192|1225402222|
1224294042|1224294042|1223935067
0|Restore Point (RP193) - System Checkpoint|9856|16895|0|0|4096|1224414756|
1224413640|1224413640|1224294042
0|Restore Point (RP194) - System Checkpoint|6961|16895|0|0|4096|1225735837|
1224625236|1224625236|1224413640
0|Restore Point (RP195) - System Checkpoint|9502|16895|0|0|4096|1224799423|
1224717084|1224717084|1224625245
.....
This format can then easily be read using the tool mactime from TSK.
rp_list -t . > /tmp/rp.body
mactime -b /tmp/rp.body
Thu Oct 09 2008 00:27:28 4096 ...b 16895 0 0 36534
Restore Point (RP190) - System Checkpoint
Sun Oct 12 2008 16:41:07 4096 ...b 16895 0 0 36475
Restore Point (RP191) - System Checkpoint
4096 m.c. 16895 0 0 36534
Restore Point (RP190) - System Checkpoint
Mon Oct 13 2008 21:57:39 4096 m.c. 16895 0 0 36475
Restore Point (RP191) - System Checkpoint
Mon Oct 13 2008 21:57:47 8192 ...b 16895 0 0 34410
Restore Point (RP192) - System Checkpoint
Tue Oct 14 2008 18:36:08 4096 .a.. 16895 0 0 36475
Restore Point (RP191) - System Checkpoint
Sat Oct 18 2008 01:40:42 8192 m.c. 16895 0 0 34410
Restore Point (RP192) - System Checkpoint
....
It is also possible to add the -h HOST parameter to the script to include a host name into the timeline. The timeline is formatted according to the specifications of TSK 3.0+, but it is possible to get the listing in a format that can be read using older TSK format by using the -l (legacy) switch to the script.