Investigating computer intrusions can be a complicated matter. Attackers are continually hiding their malicious code, erasing or modifying log files, and finding new techniques to minimize the trace evidence they leave behind. After reviewing nearly 200 compromised systems in the last 12 months, I have often become frustrated with the lack of evidence found on victim systems after the intrusions took place. In fact, the exploitation and post-exploitation techniques used by current attackers almost always thwart traditional physical media analysis practiced by the majority of computer forensic examiners.

Therefore, we have to continually improve our techniques, and add investigative steps that used to be rare, but now must become commonplace to the forensic examinations we perform in support of computer intrusion cases. Several new investigative steps we have added to our repertoire include in-depth examination of System Restore points.

This article is the result of a case study on an investigation conducted in the United States. This case demonstrates how computer forensic examiners can review System Restore points to establish an event timeline and unearth well hidden clues that assist in understanding how a computer system had been compromised. Without review of the System Restore points, our investigation would have fallen very short of answering the questions promoted by the case.

Download pdf Forensic Analysis of System Restore Points in Microsoft Windows XP