Volume Shadow Copy
The ability of Forensic Explorer to easily access and explorer Volume Shadow Copies (VSC) offers the forensics investigator the opportunity to examine data at different time snapshots in a forensic examination.
A Shadow Copy is essentially a differential backup of the contents of an NTFS formatted drive. The Volume Shadow Copy Service (VSS) automatically creates volume shadow copies at regular intervals, but they can also be create by installation of third party software, or manually by the user. By examining a Shadow Copy it is possible to view previous versions of a file, a directory, or or a volume.
Volume Shadow Copies are a potential gold mine for the forensic investigator which has until recent times often been overlooked due the the difficulty of access.
Examining VSCs in Forensic Explorer is a simple process:
1. Start a new preview, or case, or load and existing case;
2. Once the case is loaded, switch to the File System module;
3. Click on the Shadow Mount icon in the module toolbar.
This "Volume Snapshot Mount" window and display the available restore points, as show below:
The investigator can choose to mount an entire shadow copy volume, or to only mount files that have changed between the shadow copy and the active volume.
Files from a specific VSS can be identified with a user selected color.
The mounted Shadow Copy Volume is added to the File System module. It is identified by the shadow copy icon and the volume name is appended with the date and time of its creation, as shown below:
The "VSS" color column is automatically added. The screen shot below shows the active file (no color), then the same file from two shadow copy mounts (green and red).
The investigator then has all the tools of Forensic Explorer to examine the mounted shadow copies, including filters, keyword search, keyword index, scripts, etc.
See Chapter 24 of the PDF user guide for more information about working with shadow copies.