±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27350
Visitors: 32

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Shadow Scanner - Shadow Copy Retrieval Tool

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

Shadow Scanner - Shadow Copy Retrieval Tool

Post Posted: Thu Oct 28, 2010 1:45 pm

Hi Folks... For any of the forensic investigators out there..you know that there is a treasure chest full of potential info/evidence within a users Shadow Copies (Shadow Volumes). Unfortunately it is not the easiest procedure to recover the data. Symbolic links and such. Plus once you do that ..you have to poke around in all that data.

Well, a tool has been recently released that will allow the user to easily examine the shadow copies during the forensic process. This tool is named Shadow Scanner ( ShadowScanner ). What's nice is that the tool will scan all Shadow files and compare them to what's on the live drive. If there is a difference (Size,date, path etc.) then the program will display those files. The user can also use the filtering system that will filter by file extension. You can also create custom filters. etc.
There is Free (time limited) demo to give it a shot and see if it makes your life a bit easier...

(FYI..for full disclosure this tool was created with the input of a coworker in my LE Department...so it was created by LE for LE..essentially. ..) Wink

Thanks
Rob  

rjpear
Senior Member
 
 
  

Re: Shadow Scanner - Shadow Copy Retrieval Tool

Post Posted: Thu Oct 28, 2010 2:01 pm

$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question
_________________
Forensic Control
twitter.com/ForensicControl 

Jonathan
Senior Member
 
 
  

Re: Shadow Scanner - Shadow Copy Retrieval Tool

Post Posted: Thu Oct 28, 2010 2:35 pm

Agreed, incredibly steep.

It's by LE for LE, another thing I will not put money into.

- Jonathan
$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question
 

forensicakb
Senior Member
 
 
  

Re: Shadow Scanner - Shadow Copy Retrieval Tool

Post Posted: Thu Oct 28, 2010 2:42 pm

The biggest advantage to this tool ( I watched the video ) is that it provides an automated way to answer the question "what is different between the shadow copy and the current live version.
_________________
Blog: secureartisan.wordpress.com 

pbobby
Senior Member
 
 
  

Re: Shadow Scanner - Shadow Copy Retrieval Tool

Post Posted: Thu Oct 28, 2010 3:00 pm

- pbobby
The biggest advantage to this tool ( I watched the video ) is that it provides an automated way to answer the question "what is different between the shadow copy and the current live version.


You can do that with X-Ways Forensics I believe. It flags up files that were from shadow copies.
_________________
Forensic Control
twitter.com/ForensicControl 

Jonathan
Senior Member
 
 
  

Re: Shadow Scanner - Shadow Copy Retrieval Tool

Post Posted: Thu Oct 28, 2010 3:05 pm

- Jonathan
$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question


Shadow Explorer allows an easy way to browse the local Shadow Copies...while this tool will do the compare of files in Shadow against the files on the current drive and allow you to just view and export those.
Ideally I think this tool would be used during the initial imaging procedure when you have the Original drive attached to the writeblocker. Just export any files of interest to a local folder and create some sort of Logical image to add to your case.

As for the Price..I thought it was $200.00 US.. but that's why there is a DEMO...to give it a shot and see if it works for you.  

rjpear
Senior Member
 
 
  

Re: Shadow Scanner - Shadow Copy Retrieval Tool

Post Posted: Thu Oct 28, 2010 3:07 pm

- forensicakb
Agreed, incredibly steep.

It's by LE for LE, another thing I will not put money into.

- Jonathan
$300 to parse one type of data. That's pretty steep.

Does it provide $300 more value to me than the free Shadow Explorer? Genuine question


Sorry..I didn't realize that being created to help LE do their job would be a Negative.. But it's good to know where you are coming from.  

rjpear
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next