Volume Shadow Copies

Posted by: Joe G

Author Name

Artifact Name
Volume Shadow Copies

Artifact/Program Version
Windows 7
This method allows Encase users to explore the contents of Volume
Shadow Copies. As yet I have only tested this on a Windows 7×64
machine, I can not say how effective it will be on other systems.
Most of this method originates from the paper on the antiforensics.net
website from the attached link.
1. Use the Enscript from Lance Mueller to make a ‘dd’ image of your
2. Use the VHDTool to create a Virtual Drive from your dd image.
3. Open Disk Management (Click Start enter diskmgmt.msc into the
search field )
4. Mount your VHD as a Virtual Disk selecting “Read Only”
5. This step needs more testing and unfortunately I do not have the
time to do it. If you try to use Shadow Explorer at this stage it will
be unable to see the Virtual Disk. There may be a command
line/registry hack which will enable this but I have not yet explored
this option. The solution I did find was to reboot the machine. Once
rebooted Shadow Explorer can quite happily access the Volume Shadow
Copies and allows you to export any relevant files. There is no search
option unfortunately.

Registry Keys

File Locations
System Restore

Research Links

Forensic Programs of Use
Shadow Explorer

轉自 http://forensicartifacts.com/2011/05/volume-shadow-copies/

0 意見: