Shadow Scanner - Sh...
 
Notifications
Clear all

Shadow Scanner - Shadow Copy Retrieval Tool

16 Posts
8 Users
0 Likes
1,063 Views
rjpear
(@rjpear)
Posts: 97
Trusted Member
Topic starter
 

Hi Folks… For any of the forensic investigators out there..you know that there is a treasure chest full of potential info/evidence within a users Shadow Copies (Shadow Volumes). Unfortunately it is not the easiest procedure to recover the data. Symbolic links and such. Plus once you do that ..you have to poke around in all that data.

Well, a tool has been recently released that will allow the user to easily examine the shadow copies during the forensic process. This tool is named Shadow Scanner ( ShadowScanner ). What's nice is that the tool will scan all Shadow files and compare them to what's on the live drive. If there is a difference (Size,date, path etc.) then the program will display those files. The user can also use the filtering system that will filter by file extension. You can also create custom filters. etc.
There is Free (time limited) demo to give it a shot and see if it makes your life a bit easier…

(FYI..for full disclosure this tool was created with the input of a coworker in my LE Department…so it was created by LE for LE..essentially. ..) wink

Thanks
Rob

 
Posted : 29/10/2010 12:45 am
(@jonathan)
Posts: 878
Prominent Member
 

$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question

 
Posted : 29/10/2010 1:01 am
(@forensicakb)
Posts: 316
Reputable Member
 

Agreed, incredibly steep.

It's by LE for LE, another thing I will not put money into.

$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question

 
Posted : 29/10/2010 1:35 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

The biggest advantage to this tool ( I watched the video ) is that it provides an automated way to answer the question "what is different between the shadow copy and the current live version.

 
Posted : 29/10/2010 1:42 am
(@jonathan)
Posts: 878
Prominent Member
 

The biggest advantage to this tool ( I watched the video ) is that it provides an automated way to answer the question "what is different between the shadow copy and the current live version.

You can do that with X-Ways Forensics I believe. It flags up files that were from shadow copies.

 
Posted : 29/10/2010 2:00 am
rjpear
(@rjpear)
Posts: 97
Trusted Member
Topic starter
 

$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question

Shadow Explorer allows an easy way to browse the local Shadow Copies…while this tool will do the compare of files in Shadow against the files on the current drive and allow you to just view and export those.
Ideally I think this tool would be used during the initial imaging procedure when you have the Original drive attached to the writeblocker. Just export any files of interest to a local folder and create some sort of Logical image to add to your case.

As for the Price..I thought it was $200.00 US.. but that's why there is a DEMO…to give it a shot and see if it works for you.

 
Posted : 29/10/2010 2:05 am
rjpear
(@rjpear)
Posts: 97
Trusted Member
Topic starter
 

Agreed, incredibly steep.

It's by LE for LE, another thing I will not put money into.

$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question

Sorry..I didn't realize that being created to help LE do their job would be a Negative.. But it's good to know where you are coming from.

 
Posted : 29/10/2010 2:07 am
rjpear
(@rjpear)
Posts: 97
Trusted Member
Topic starter
 

The biggest advantage to this tool ( I watched the video ) is that it provides an automated way to answer the question "what is different between the shadow copy and the current live version.

You can do that with X-Ways Forensics I believe. It flags up files that were from shadow copies.

X-Ways Foresnics (and most of the X-Ways tools) are great.. but again.. IF you already have another tool. and can't afford the 800+EU ..give this as shot…

 
Posted : 29/10/2010 2:10 am
(@patrick4n6)
Posts: 650
Honorable Member
 

For those of you who missed my talk at Techno Forensics on behalf of IACIS this week, all you need to examine Shadow Copies is to have Windows Vista/7 Ultimate and type this on the command line

C\>for /f "tokens=4" %f in ('vssadmin list
shadows ^|findstr GLOBALROOT') do @for /f
"tokens=4 delims=\" %g in ("%f") do @mklink /d
%SYSTEMDRIVE%\%g %f\

That single command will mount all your shadow volumes for you and you can use whatever you want to examine them.

NB. you must run the command line as administrator.

 
Posted : 29/10/2010 6:09 am
(@dficsi)
Posts: 283
Reputable Member
 

I'm assuming that this will only work on Vista/Windows 7 as it looks as if it plugs into Volume Shadow Service. Same thing that Shadow Explorer does. This also means that you have to mount the drive, etc.

The good thing about this is the comparison of current and non-current files.

 
Posted : 29/10/2010 11:20 am
Page 1 / 2
Share: