Forensic analysis of System Restore points in Microsoft Windows XP

Investigating computer intrusions is becoming infinitely more complicated with the advancement of post-exploitation techniques currently being used by attackers. We must continually update our traditional forensic techniques to include the more rare investigative steps. Analysis of System Restore points is one of these steps. This article will illustrate how a forensic examiner analyzed System Restore points to reveal traces of evidence which ultimately lead to the complete understanding of the computer and subsequent bank account compromises.