What is Volume Shadow Copy?
Volume Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It requires the file system to be NTFS in order to create and store these backup copies.
Analysis of Volume Shadow Copies
Analysis of snapshots is important as it can show the state of the Windows system at a particular time in the past. Analyzing snapshots might help investigators find evidence that was deleted some time ago.
While analyzing an image of the NTFS file system, Oxygen Forensic® KeyScout can now automatically detect available Shadow Copy snapshots.
Investigators can choose to analyze the current state of the disk or any of the previous states saved in VSS (Volume Snapshot Service) snapshots. Once data is collected, it will be imported in Oxygen Forensic® Detective for detailed analysis.
Conclusion
Having the tools to be able to analyze Volume Shadow Copies is important. In Oxygen Forensic® Detective v.14.4, we’ve implemented this ability to create a detailed analysis of Volume Shadow Copy snapshots.
If you are interested to try this functionality, contact us to learn more about Volume Shadow Copy analysis.