Volume Shadow Copies

Posted by: Joe G


Author Name
BryanTheSnail


Artifact Name
Volume Shadow Copies


Artifact/Program Version
Windows 7
 
Description
This method allows Encase users to explore the contents of Volume
Shadow Copies. As yet I have only tested this on a Windows 7×64
machine, I can not say how effective it will be on other systems.
Most of this method originates from the paper on the antiforensics.net
website from the attached link.
1. Use the Enscript from Lance Mueller to make a ‘dd’ image of your
drive.
2. Use the VHDTool to create a Virtual Drive from your dd image.
3. Open Disk Management (Click Start enter diskmgmt.msc into the
search field )
4. Mount your VHD as a Virtual Disk selecting “Read Only”
5. This step needs more testing and unfortunately I do not have the
time to do it. If you try to use Shadow Explorer at this stage it will
be unable to see the Virtual Disk. There may be a command
line/registry hack which will enable this but I have not yet explored
this option. The solution I did find was to reboot the machine. Once
rebooted Shadow Explorer can quite happily access the Volume Shadow
Copies and allows you to export any relevant files. There is no search
option unfortunately.


Registry Keys
Various


File Locations
System Restore


Research Links
http://antiforensics.net/Computer-Forensics/accessing-volume-shadow-copies.html
http://www.forensickb.com/2007/07/export-encase-evidence-file-to-dd.html
http://archive.msdn.microsoft.com/vhdtool
http://www.shadowexplorer.com/


Forensic Programs of Use
Encase
VHDTool
Shadow Explorer


轉自 http://forensicartifacts.com/2011/05/volume-shadow-copies/

0 意見: