Forums
Main Category
General (Technical,...
system volume infor...
 
Notifications
Clear all

system volume information

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by rayp 15 years ago
7 Posts
4 Users
0 Reactions
2,408 Views
RSS
rayp
 rayp
(@rayp)
Eminent Member
Joined: 16 years ago
Posts: 42
Topic starter 12/04/2010 9:02 am  

Hello,
I am currently using FTK v1x. While doing a keyword search I've found search hits in the system volume information and am hoping that someone can please help me to define what the system volume information area is so I can write it in my final report. Thank you in advance


   
Quote
markg43
 markg43
(@markg43)
Trusted Member
Joined: 18 years ago
Posts: 77
12/04/2010 11:05 am  

You don't give much information about the image you are examining, but System Volume information is where Windows stores the Restore Points that it creates. Notice the subfolder names RP1, RP2 etc

Depending on what version of Windows the image is, you can research what types of files are saved there and how to determine what date a particular Restore point is made.

Good Luck

MarkG


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
12/04/2010 4:43 pm  

I am currently using FTK v1x. While doing a keyword search I've found search hits in the system volume information and am hoping that someone can please help me to define what the system volume information area is so I can write it in my final report.

It's all about the context.

What is the version of the OS you're looking at?

Where are the hits, specifically, within this directory? The hits are within files? If so, what are the paths?

Here's a start
http//www.lmgtfy.com/?q=%22system+volume+information+folder%22


   
ReplyQuote
rayp
 rayp
(@rayp)
Eminent Member
Joined: 16 years ago
Posts: 42
Topic starter 12/04/2010 8:00 pm  

Thanks for the replies so far. The O/S is Vista with SP1. One of the file paths is part_1 HP_System Volume Information\{07c3590a-8bac-11de-bf88-0023543a631e}{3808876b-c176-4e48-b7ae-04046e6cc752}_09

So I dont know if this information will help anyone to further help me figure out what I can do with this information.


   
ReplyQuote
 Fitzer
(@fitzer)
Active Member
Joined: 15 years ago
Posts: 5
12/04/2010 8:21 pm  

The images are stored in the Shadow Copy, which is Vista's version of Restore Points. It takes a snapshot of the file system, including programs that are being used, so people can revert to previous versions of documents etc.
http//forensicsfromthesausagefactory.blogspot.com/ shows how to identify the Volume Shadow Copy, image it and examine it.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
12/04/2010 8:25 pm  

Thanks for the replies so far. The O/S is Vista with SP1. One of the file paths is part_1 HP_System Volume Information\{07c3590a-8bac-11de-bf88-0023543a631e}{3808876b-c176-4e48-b7ae-04046e6cc752}_09

So I dont know if this information will help anyone to further help me figure out what I can do with this information.

Like Fitzer says, this is a Volume Shadow Copy. You need to have an understanding of what that is, and this may help you
http//en.wikipedia.org/wiki/Shadow_Copy

Like Fitzer says, you'll need to identify the particular Volume Shadow Copy; identify how many there are, mount and search each one. Then image the one in question.


   
ReplyQuote
rayp
 rayp
(@rayp)
Eminent Member
Joined: 16 years ago
Posts: 42
Topic starter 13/04/2010 12:31 am  

Thanks for all of your help


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: