I've googled it before anyone suggests that, I just wanted some advice re the files… I have a case where a number of IIOC have been found within the sys vol info files (spans 4 differing files), there are newer files identified without the IIOC within them.
I've not done a massive amount of work on vol sys files as of yet, I've done a fair bit of reading on them, although was having a complete nightmare getting a vm to work (unknown reasons - would only give me two vmware files one of 80MB an the other 56MB) - tried with VHC and a few other tools, still no luck (gave up due to time constraints).
anyway my understanding currently of these files is that they create restore points of apps and user profiles, if they create restore points of user profiles would if be fair to say that the images could well have been deleted off the system when it did a newer backup? or would these files have been opened and viewed for the system to back them up?
any help appreciated… thanks guys… )
I think what you may be referring to is essentially the volume shadow copies…this blog post may be useful to you
http//
Also see
http//
http//
http//
http//
Based upon the situation that you've described - I would asses my approach based upon what evidence you have and the benefits of further analysis. If you have located many IIOC elsewhere then is it worth spending a lot of time assessing a couple more images? If your case justifies further analysis of these files then there are a number of methods which you can use.
For example, I've had a job where a few IIOC have been found within the Limewire folders. I believed the suspect had been downloading them, copying to DVD, then deleting from his HDD. I used the RoboCopy method to recover and analyse the Limewire folders from all shadow copies using a simple 'for' loop (http//
You're approach will depend upon your case spec.
Hope these links are useful
anyway my understanding currently of these files is that they create restore points of apps and user profiles, if they create restore points of user profiles would if be fair to say that the images could well have been deleted off the system when it did a newer backup? or would these files have been opened and viewed for the system to back them up?
I'm afraid your understanding is not entirely accurate. Essentially the volume shadow service monitors the whole volume in 16KB chunks. If a change happens in any of these chunks then the whole chunk is copied to one of these files on the System Volume Information folder. If you're seeing pictures in there they may still exist on the volume or they may have been deleted. It just depends on why those 16KB blocks were changed.
Yes, whenever a new piece of software is installed a new SVI file is created but that is only the trigger. That file will contain data, potentially, from almost a week previously, not just installation data.
Good advice has already been given. As with anything else, read up before starting anything.
Thank you all for the guidance, much needed and very very very helpful! )