SANS Digital Forensics and Incident Response Blog

System State Backup

The Windows system state backup is in effect a backup of the complete system. Everything that is present within the system will be copied as backup so that no data or information is lost whenever there is a system crash or corruption of the driver files, if certain system files stop the system from functioning properly. To perform a forensic analysis of evidence on a Windows system, backing up a system's registry is insufficient. An extensive backup of data is essential so that the system can be secured against any malfunctions.

This is most commonly an issue when conducting a live analysis.

A full system state backup saves the:

  • Active Directory (NTDS),
  • Windows Boot files,
  • COM+ class registration database,
  • Registry,
  • System volume (SYSVOL), and
  • The IIS metabase.

The process to create a System State Backup is simple:

  • Go to Start > Programs > Accessories > System Tools > Backup,
  • In the Backup tab, check the System State box,
  • Select the Schedule Job tab and Select Add Job button,
  • Select Yes and choose "media options"
  1. Media type,
  2. Location, and
  3. Backup name.
  • Select Next and check that the Normal option is selected, and then Select Next again.
  • When backing-up to disk there is no need to verify data. Select Next.
  • Choose if you want to append to or replace an existing backup. Select Next.
  • Schedule the backup. Select Next.
  • Set the account to one that has the required permission to run the backup.
  • Select Finish.

A good deal of information is available from and is stored within the Windows system state. Don't overlook it.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He is engaged in his second doctorate, a PhD on the quantification of information system risk at CSU.


Posted July 13, 2009 at 5:09 PM | Permalink | Reply

John O

Are there any good links to resources that outline the impact to the system during a live anlaysis/system state backup? There may really be a great value to an investigation, but I it would be handy to know what happens on the back end so you can weigh the pros and cons.