Ideas welcome.
We are finding an increasing amount of data in Microsoft Windows Vista shadow files. I am aware of the article on the SANS forensic blog about how to restore shadow files and take a DD image of the drive with these files applied.
My question is what procedures should we have in place for something like this? It doesn't seem practical to do DD after DD of the same computer but if we don't we risk finding little to report on.
Alternatively if anyone knows how to parse such files I would be happy to hear from you.
Greetings,
I find myself in a similar situation. There was thread on the CCE list that suggested that FTK could parse shadow volumes but no one confirmed it, and an email request for confirmation to AD went unanswered.
I built up an FTK environment on Friday and will go put some miles on a Vista image tomorrow with an eye towards determining how EnCase and FTK deal with shadow volumes. I believe the answer is "they don't".
-David