SANS Digital Forensics and Incident Response Blog: Tag - backup

The Failed Hard Drive, the Toaster Oven, and a Little Faith

OK, everyone knows that heat kills electronic components, right? Never subject any electronic component to heat. Unless that makes the component work, that is''

Confession is good for the soul, they say, but bad for the reputation. So I'll tell the story this way. You see, there was this "friend of mine" whose hard drive failed. I mean, it was working fine the night before when I, er, he shut down his computer. But the next morning he turned it on and all he got was "shicka, shicka, shicka, shicka, shicka," then a pause, then five more attempts, then five more, and so on until the drive finally said "sorry''" and shut itself off. Now this guy hasn't been taking his own advice about backups for a while and - you guessed it - he hadn't backed up his Quicken off drive

...


System State Backup

The Windows system state backup is in effect a backup of the complete system. Everything that is present within the system will be copied as backup so that no data or information is lost whenever there is a system crash or corruption of the driver files, if certain system files stop the system from functioning properly. To perform a forensic analysis of evidence on a Windows system, backing up a system's registry is insufficient. An extensive backup of data is essential so that the system can be secured against any malfunctions.

This is most commonly an issue when conducting a live analysis.

A full system state backup saves the: