Dear colleagues.
Is it possible that in volume shadow copy file are saved data from RAM memory ?? In my case I've found in volume shadow copy file (eg. {sdasdfsdfsdfsdfsdfas}{gdfgdfgdfgdf}) some interesting text using text search option in EnCase. When I opened this file using tools EnCase, vssadmin and mklinks, I didn't find any file where the interesting text is stored. I haven't any idea what's going on ? I suppose the text was stored in RAM when Volume Copy Shadow was created. Is it right thinking ?
The short/simple answer is yes - volume shadow copies are written in 16K/32 sector chunks even if only a small amount of data is to be written. e.g. if a small file of say 512 bytes is changed and shadowed then the 31 blocks before after or around it will be mapped to a shadow file.
Pawel I asume you're talking about the on-disk VSC implementation (aka VSS aka volsnap) not one of the other numerous other writers it can have?
http//
I opt to check
OSDFC 2012 Paper - Windowless Shadow Snapshots
https://
VSS format working document.
https://
Note that a sector can be 4 KiB (4 x 1024) as well, so "16K/32 sector chunks" should be 16 KiB (16 x 1024) blocks (or chunks for that matter).
Also note that the volsnap driver on Windows has a nasty side effects for forensic analysis, read the paper mentioned earlier for the block wrap behavior and also note that I've seen volsnap just wiping the VSS metadata because of corruption and in effect rendering the snapshots unreadable.
Ok. Thanks for your quick answers and help me.