Greetings,
I am searching for detailed information on the purpose and structure of the OBJECTS.DATA file, located in restore points (RPx) folders. After spending the better part of several days searching, the most informative source I have discovered exists in one line at the following Technet URL: WMI Infrastructure Article. And, unfortunately, it's a bit light on detail.
My interest in this particular file has its origins in an examination I performed. In the exam, I searched for particular artifacts (executable files) and discovered detailed information such as name, path, hash, last run time, author, user, and product language embedded within the OBJECTS.DATA. While some of the actual artifacts did not exist on the system, the trail in this file provided excellent "fingerprinting" which I could use to flesh out a timeline analysis and reach other relevant conclusions. I have noticed in this and other examinations that the existence of these fingerprints seem to coincide with the presence of Client Configuratin Manager (CCM).
My goal is to gather the details (purpose, structure, OS interaction) of this file and provide a correlation as to when it might be a useful source of forensic artifacts. If anyone can offer assistance or guidance, I'd be grateful.
Thank you, in advance.
↧
