O'Reilly logo

Mastering Windows Network Forensics and Investigation, 2nd Edition by Scott Pearson, Ryan Johnson, Steve Bunting, Steven Anson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 9: Registry Evidence

Locate and mount Windows XP registry hive files stored in restore points and analyze restore point registry settings to determine before-and-after intrusion settings. Windows XP shipped with a system that creates restore points, which are folders containing snapshots of system settings and files that have been added to the system since the previous restore point. These occur daily and at other special times. Their purpose is to enable you to recover the system to a very recent working state should things go wrong. For the forensic examiner, restore points are extremely valuable time capsules containing evidence of system settings. In intrusion investigations, they are valuable in determining before-and-after intrusion ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required