Volume Shadow Copies

I am not clear how that is different than what Harlan and many others have described in their blogs/posts.

Where are you having problems in the process you are trying? Can you outline your process?

Have you read Harlan's blogs on the subject?
http//windowsir.blogspot.com/2009/11/working-with-volume-shadow-copies.html
http//windowsir.blogspot.com/2011/09/howto-mount-and-access-vscs.html

Or Corey Harrell's?
http//journeyintoir.blogspot.com/2011/04/little-help-with-volume-shadow-copies.html
http//journeyintoir.blogspot.com/2012/01/ripping-volume-shadow-copies.html

Or Rob Lee's?
http//computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows

Alan Hay also has some software to help mount a VSC
http//www.ash368.com./os6/4557227633

You might also be interested in looking at Shadow Explorer
http//www.shadowexplorer.com/

Sure I would be happy too.

I am using the VSC toolset that I downloaded from here. It seems to be a great tool. I am using my writeblocker to mount the drive to my machine. From that point I use the VSC Toolset to select the drive and it shows me a list of VSC's.

From that point I select to have it create the symbolic links to my C drive. I then use FTK Imager to point to the symbolic links and create the image as an AD1.

When I have done this, the process stalls out. I have let it run for over 18 hours and it will not finish.

I then just tried to add the live evidence to FTK. I know the implications of this, but I wanted to see if something would work.

It looked like it initially worked, but upon reviewing the case after processing it looked like FTK processed my entire C drive and not the symbolic links I had pointed too.

Now granted I am not the end all be all of forensics, but I am not an idiot when it comes to forensics either (others might be arguing that point currently though).

So if you can point out my flaws I will be sure to correct them.

Thanks for the reply.

DT

Ah, thank you, that is much more clear.

How large are the VSCs? and what version of Imager are you using?

Hello,

So I have found some great tools on here in regards to VSC, but it seems what I am trying to do is a bit different.

Sure I would be happy too.

I am using the VSC toolset that I downloaded from here.

May I ask from where?

And which exact tool?

This one?
http//dfstream.blogspot.com/p/vsc-toolset.html

jaclaz

Ah, thank you, that is much more clear.

How large are the VSCs? and what version of Imager are you using?

They seem to range between 13 and 20 gigs each. I am using Imager 3.0.1.1467.

Hello,

So I have found some great tools on here in regards to VSC, but it seems what I am trying to do is a bit different.

Sure I would be happy too.

I am using the VSC toolset that I downloaded from here.

May I ask from where?

And which exact tool?

This one?
http//dfstream.blogspot.com/p/vsc-toolset.html

jaclaz

Correct I am using the same. Sorry for not responding, but I was gone over the holiday.
Thanks in advance.
DT

Ah, thank you, that is much more clear.

How large are the VSCs? and what version of Imager are you using?

They seem to range between 13 and 20 gigs each. I am using Imager 3.0.1.1467.

Imager 3.0 fails on images larger than 2.99 GB.