Startup Repair / Boot Configuration Data (BCD)
Location
C:\Boot\BCD, C:\Windows\System32\LogFiles\SRT\SRTTrail.txt, and C:\Windows\Panther\setupact.logDescription
Boot Configuration Data (BCD) stores boot manager settings, OS loader configuration, and boot-time driver entries. Startup Repair Tool (SRT) trail logs and Panther setup logs record boot failures, repair actions, and boot-time component modifications.
Forensic Value
The BCD store reveals boot-level persistence mechanisms such as malicious bootkit entries, modified boot drivers, and Secure Boot policy changes that execute before the operating system loads. Ransomware operations frequently modify BCD settings to disable recovery mode (bcdedit /set recoveryenabled No) and delete shadow copies to prevent restoration, and these changes persist in the BCD hive. SRTTrail.txt logs capture boot failure details including the root cause analysis, which can reveal corrupted system files from destructive malware or bootkit installation. Comparing the BCD against a known-good baseline can identify unauthorized kernel-mode drivers or modified integrity checking policies that indicate a rootkit.
Tools Required
Collection Commands
bcdedit
bcdedit /enum all > C:\output\bcd_enum.txt
KAPE
kape.exe --tsource C: --tdest C:\output --target BootConfig
PowerShell
Copy-Item "C:\Windows\System32\LogFiles\SRT\SRTTrail.txt" -Destination C:\output\; Copy-Item "C:\Windows\Panther\setupact.log" -Destination C:\output\