My Road to Digital Forensics Excellence

SteadyState – Test1

Posted by Paul Bobby on November 7, 2008

With Windows Disk Protection enabled, nothing should be written to the hard drive outside of the SteadyState Cache file. Is this actually the case?

I created two text files under C:\Users\pbobby\Documents. One file was called “res-text.txt”, a small text file with just enough data to keep it resident. The second was called “non-res.txt”, another text file, but this time with enough data to ensure it was non-resident.

At this point I shutdown the laptop, gracefully, and selected the Windows SteadyState option “Continue and Remove all Changes”. Following this shutdown I executed the imaging process mentioned previously.

Once completed, the laptop was allowed to boot, log in, and settle down to ensure SteadyState had finished, Superfetch had finished etc etc. No changes were made to the laptop beyond the OS simply being allowed to perform its bootup routine. The laptop was shutdown a second time, picking the same “Continue and Remove” option and reimaged once again.

For this test I have four datasets:

  • SteadyState-Baseline
  • Test-set1 (First shutdown – the cache not yet erased)
  • Test-set2 (Second shutdown – the cache erased and prepared for a new bootup)
  • Hash set, “Steadystate-Baseline” classified as “Known”

After applying the hash set to Test-set1 and Test-set2 the following differences were noted:

  1. Test-set1: C:\Boot\bootstat.dat
  2. Test-set1: C:\Cache.WDP
  3. Test-set2: C:\Boot\bootstat.dat
  4. Test-set2: C:\Cache.WDP

Furthermore, the files were different from each other on both Test-sets. This is encouraging – I expected the Windows SteadyState cache file to change, but didn’t know about bootstat.dat. I’ll have to read up on that file, as it’s something new with Vista.

These weren’t the only file system changes – Encase does not hash NTFS metafiles (although it does hash the UsnJrnl file). So let’s do that now.

  1. The $MFT is the only NTFS metafile that changes – expected considering the metadata changes to the Cache.WDP file and the bootstat.dat file.
  2. The $Logfile and the $UsnJrnl files were not changed.

What changed in the $MFT? Just the entries for cache.wdp and bootstat.dat? Time to break out UltraEdit and compare.

Oh! It turns out that only the MFT record for C:\Boot\Bootstat.dat has changed! The MFT record for Cache.WDP has not changed. And looking at the timestamp information for this file across all three data sets verifies that. Sweet. The only change in $MFT comes from bootstat.dat – maybe in Windows XP even that goes away.

This comes in handy – I can now just copy the Cache.WDP file every time I do a test instead of imaging the entire drive.

Let’s shift focus to the C:\Cache.WDP file.

To be continued….


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: