The paper presents a method for solving the problem of recovery the sequence of file operations in the Windows operating system using graph theory. The process of changing timestamps is represented as a directed graph, in which the vertices are the states of the timestamps of the file, and the edges are the file operations that were performed on the file. To restore the sequence of file operations, you need to determine all possible routes between the vertices. The paper considers and describes algorithms for searching routes in depth and width. The conclusion is made about the preference of the search in depth. The results of its application are demonstrated in several examples.