A comparative methodology for the reconstruction of digital events using windows restore points

This paper describes a methodology for the reconstruction of digital events by comparing states captured in time. Microsoft Windows Restore Point data is used to illustrate how to organize captured state information into a useful timeline of user and system events. It is shown that by comparing consecutive states, events can be uncovered that would otherwise be unknown by analysis of the current system state alone.