- #Prodiscover basic download 64 bit drivers
- #Prodiscover basic download 64 bit driver
- #Prodiscover basic download 64 bit software
- #Prodiscover basic download 64 bit series
The description might tell the investigator the date that a particular application was installed or removed. I’ve also seen descriptions such as Installed QuickTime, Removed ProDiscover 4.8a, and Installed Windows Media Player 11 on systems.
#Prodiscover basic download 64 bit software
The description Software Distribution Service refers to Windows Updates being installed. Many times, you’ll see the description System Checkpoint, which is the restore point that is created by Windows XP every 24 hours (default setting). When a restore point is created, a description of the event that caused the restore point creation is written to the rp.log file. Restore points can also be created manually.
#Prodiscover basic download 64 bit drivers
System restore points will be created when applications and unsigned drivers are installed, when a Windows AutoUpdate installation is performed, and when a restore operation is performed. The description for the restore point can be useful to the investigator, particularly if he’s looking for information regarding the installation or removal of an application. The script opens the rp.log file within each directory and retrieves the description of the restore point and the date that the restore point was created. The Perl script (located on the accompanying DVD) is a ProScript that you can use with ProDiscover to retrieve information from the rp.log files located in the restore point directories of an image of a Windows XP system (that is open in ProDiscover). The script implements the SystemRestore Windows Management Instrumentation (WMI) class to access the RestorePointType, Description, and CreationTime values for each restore point and display them to the user. You can run the Perl script sr.pl on a live system to collect information about restore points. The description of the restore point is a null-terminated Unicode string that starts at offset 16 (0×10) within the file, and the creation date/time is the 8-byte (QWORD) value located at offset 528 (0×210) within the file. The restore point type is a 4-byte (DWORD) value starting at the fourth byte of the file.
#Prodiscover basic download 64 bit driver
This restore point log contains a value indicating the type of the restore point, a descriptive name for the restore point creation event (i.e., application or device driver installation, application uninstall, or the like), and the 64-bit FILETIME object indicating when the restore point was created. Rp.log is the restore point log file located within the restore point (RPxx) directory.
In this topic, we will address the other log files maintained within those restore points.
We discussed the Registry files maintained in Windows XP System Restore Points in next topic. However, this "index" file within the Vista Recycle Bin contains only the original filename, the file’s original size, and the date and time the file was deleted. Then, a second file of the same name, with "$I" instead of "$R", is created that contains information similar to what is found in the INFO2 file.
#Prodiscover basic download 64 bit series
Where Vista continues to handle deleted files differently is that a deleted file is renamed to "$R", followed by a series of six random characters, and then the original file extension. Although this is transparent to the user, the change provides a very useful resource to the forensic analyst, as Mitchell Machor addressed in his paper, "The Forensic Analysis of the Microsoft Windows Vista Recycle Bin" ( As with previous versions of Windows, files deleted by a user are still associated with the user’s SID but are now found in the C:\$Recycle.Bin directory. Yet another aspect of the Windows operating system that changed with the advent of Vista is the underlying architecture of how the Recycle Bin is implemented.