In this chapter, we will cover the following recipes:
- Browsing and copying files from VSCs on a live system with ShadowCopyView
- Mounting VSCs from disk images with VSSADMIN and MKLINK
- Processing and analyzing VSC data with Magnet AXIOM
In this chapter, we will cover the following recipes:
Shadow copies, also known as volume shadow copies, are backup copies of Windows files that are taken during the normal course of use of a machine running on NTFS. For the average computer user, shadow copies may be familiar, as they are what make it possible to create Windows backups, or to perform system restores when something goes wrong.
These have obvious applications for digital forensic practitioners, particularly in cases where a suspect may have tried to delete evidence from a machine. By restoring the system to its previous state, or by using forensic tools to uncover files that are saved in shadow copy locations, forensic practitioners may be able to deduce information that an individual has tried to hide.
However, the presence of shadow copies and the ability forensic investigators have to uncover the information contained within them does not necessarily...
ShadowCopyView is a simple tool developed by NirSoft (remember this name! They have developed lots of small free tools which are extremely useful for computer forensics), which enables digital forensic examiners to browse snapshots created by the Windows Volume Shadow Copy Service. It supports even the most recent Windows versions (Windows 10, for example), and can be kept on your favorite USB drive, which is very important for live forensics and incident response.
Go to NirSoft's website and click on the All Utilities link on the left. Scroll down the page, find the ShadowCopyView link, and click it. At the time of writing, the most...
VSSADMIN is a built-in Windows command-line tool capable of displaying Volume Shadow Copies. You can use it not only on a running Windows system, but also on disk images. In this recipe, we will show you how to do it.
As the tool we are going to use is built-in, there is no need for installation: if you are using Windows, you already have it. So all you need is to mount a forensic image, and you already know how to do this from Chapter 3, Windows Drive Acquisition. As soon as the image is mounted, you are ready to go.
Magnet AXIOM is an all-in-one digital forensics tool by Magnet Forensics, capable of extracting (acquiring) and processing data from both computers and mobile devices. It supports lots of Windows forensic artifacts, including extracting data from Windows Volume Shadow Copies.
At the time of writing, Magnet Forensics provides a fully functional 30-day free trial version of Magnet AXIOM. All you need to do is go to Magnet Forensics' website and click on the TRY NOW button. Fill in the form, including your first name, last name, email address, phone number, state or province, country, and so on and click on REQUEST A FREE TRIAL. Make sure you type your real...