Since the release of Windows Vista and more recently, Windows 7, analysts are encountering increased numbers of relevant artefacts in the volume shadow copy files present in the System Volume Information folder. The paucity of published data regarding the structure and architecture of these files has frustrated analysts attempting to provenance the artefacts encountered. This paper introduces a new method for reliably recovering the original files stored in the volume shadow copies which contain these artefacts. This new technique maintains the original date and time stamps and is flexible enough to extract everything in a VSS file, or right down to just one file for one specific user account. This technique is fast, proportional and employs standard tools found in any reputable digital forensics laboratory.
By
James Crabtree
&
Gary Evans
Doug,
Thanks for posting this.
Any thoughts from you regarding mounting the drive read-only using ImDisk or SmartMount, rather than using EnCase PDE? How about imaging the resulting volume, or retrieving files via FTK Imager, rather than using RoboCopy?
Thanks.