SANS Digital Forensics and Incident Response Blog: Tag - System state

System State Backup

The Windows system state backup is in effect a backup of the complete system. Everything that is present within the system will be copied as backup so that no data or information is lost whenever there is a system crash or corruption of the driver files, if certain system files stop the system from functioning properly. To perform a forensic analysis of evidence on a Windows system, backing up a system's registry is insufficient. An extensive backup of data is essential so that the system can be secured against any malfunctions.

This is most commonly an issue when conducting a live analysis.

A full system state backup saves the: