none
with steadystate enabled, is forensic recovery of harddrive possible? RRS feed

  • Question

  • i am with the IT dept. of a large library in NCentral Florida and all of our patron pc's have steadystate enabled. we occasionally have to call the authorities or have authorities call us due to patrons viewing objectionable materials, (ie; child pornography) and also due to threats via internet, (ie; bomb threats, etc.).
    the questions are: 
    a) if steadystate is enabled and the pc is rebooted, is forensic recovery of harddrive still possible? 
    b) if so, and a patron is caught doing something illegal, what is the proper way to shut down the computer as to not lose evidence?
    c) should the pc be shut down in the regular fashion and just not turned back on? should it be turned off with a 5-10 second pressing of the pc power button? just unplug from wall socket.

    we are trying to write a Standard Operating Procedure for staff on how to treat the pc when this occurs so as to enable law enforcement to be able to retrieve whatever data is needed to investigate the case.
    Tuesday, April 7, 2009 3:01 PM

Answers

  • a) if steadystate is enabled and the pc is rebooted, is forensic recovery of harddrive still possible?
    Yes.  The cache file is not encrypted nor zeroed at boot.  However, actually reconstructing the data will require a substantial amount of technical expertise and familiarity with the structures within the cache file. 

    However, I propose a simpler method next:

    b) if so, and a patron is caught doing something illegal, what is the proper way to shut down the computer as to not lose evidence?
    The easiest thing to do is to *NOT* reboot or shut down.  Instead, log on as administrator, open SteadyState, click on Windows Disk Protection, and select to keep changes temporarily.  Select a date far enough in the future that you'll have time to examine the data.  Then it's safe to shut the machine down (gracefully!), and make sure n one else uses the machine.

    If the machine is not shut down gracefully, Windows Disk Protection will revert to discard mode, so retrieving the data will require the aforementioned technical expertise.

    Note, though, that if the user account in use is *locked*, logging that user off will erase his temporary profile and potentially all traces of his activities.  In this case, it's best to just shut down gracefully and not restart the computer.  Data recovery in this scenario will require the drive to be attached to another machine.  The file system on the drive being recovered must not be altered in order to ensure full recovery of the data.  If the system boots up again, the drive's state is altered and full recovery may not be possible, as portions of the cache file will be overwritten as the system starts up.


    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState
    Saturday, April 11, 2009 3:54 AM

All replies

  • Hi soulsketcher, thanks for the post. First of all, please let me know what does the "forensic recovery" refers to. Does it mean back to factory settings by using image on another partition?

     

    If you have enabled Windows Disk Protection, we recommend you shut down the computer properly. Otherwise, WDP can be reset by pressing the power button or unplugging socket.


    Sean Zhu - MSFT
    Thursday, April 9, 2009 5:57 AM
    Moderator
  • a) if steadystate is enabled and the pc is rebooted, is forensic recovery of harddrive still possible?
    Yes.  The cache file is not encrypted nor zeroed at boot.  However, actually reconstructing the data will require a substantial amount of technical expertise and familiarity with the structures within the cache file. 

    However, I propose a simpler method next:

    b) if so, and a patron is caught doing something illegal, what is the proper way to shut down the computer as to not lose evidence?
    The easiest thing to do is to *NOT* reboot or shut down.  Instead, log on as administrator, open SteadyState, click on Windows Disk Protection, and select to keep changes temporarily.  Select a date far enough in the future that you'll have time to examine the data.  Then it's safe to shut the machine down (gracefully!), and make sure n one else uses the machine.

    If the machine is not shut down gracefully, Windows Disk Protection will revert to discard mode, so retrieving the data will require the aforementioned technical expertise.

    Note, though, that if the user account in use is *locked*, logging that user off will erase his temporary profile and potentially all traces of his activities.  In this case, it's best to just shut down gracefully and not restart the computer.  Data recovery in this scenario will require the drive to be attached to another machine.  The file system on the drive being recovered must not be altered in order to ensure full recovery of the data.  If the system boots up again, the drive's state is altered and full recovery may not be possible, as portions of the cache file will be overwritten as the system starts up.


    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState
    Saturday, April 11, 2009 3:54 AM
  • Hey Rob,

    Can you please elaborate more into the cache file structure?

    Thanks
    Tuesday, June 16, 2009 10:44 AM