My Road to Digital Forensics Excellence

SteadyState Test Setup

Posted by Paul Bobby on November 7, 2008

I’ve established the following Baseline for my SteadyState tests.

  1. Dell Laptop with 40Gbyte drive
  2. The entire drive was wiped using BCWipePD with the single byte 0x00
  3. The drive was partitioned to have a 16Gbyte “C” partition for the OS, and a 2Gbyte “D” partition. The remainder is left unused
  4. An external hard drive was prepared with two 32Gbyte FAT32 partitions for image storage
  5. Vista Professional 32bit was installed on the laptop and patched (SP1 not installed, OS not activated)
  6. SteadyState was installed with Hard Drive protection enabled

When conducting my tests, I use the following repeatable process:

  1. Ethernet cable is disconnected
  2. Laptop booted with Helix
  3. External hard drive connected and one of the partitions mounted (mount -o rw /dev/sdb1 /media/sdb1)
  4. Images are created using Linen, medium compression (generates 4Gbytes of files)

This process was followed to create a SteadyState-Baseline evidence set along with a Hash Set of the filesystem contents to be used for later comparison.

One thing of note is that Encase does not Hash NTFS metafiles, and so I use the following Enscript to Hash any file I select. (Thank you Gary Brown)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: