Hi Folks.
I am working a Vista Home Premium (HP make) laptop..and I am interested is determining if there is Gold in the VSS Stores. I have attempted a VMWare boot of the image file (DD) with only a Blue Screen/reboot to show for it… and I have hooked up the orignal HD to a Writeblocker and plugged it into a Vista Ultimate box. but ShadowExplorer (
So two questions… is there an easy way to determine in a Forensic tool (EnCase etc.) if there are VSS Copies present…or how much data is VSS'ed.. AND if there is ..how is it possible to examine them without booting original media.. and assume I don't have an extra 140 gig Toshiba Laptop drive laying around to duplicate the original… 😉
Thanks for your time!!
Rob
I found some details about VSS here
http//
Not sure if that answers your question.
We have started finding loads of stuff, images etc, in System Volume Information, which from the small amount of work I have done on it, can be apportioned to VSS
Hope this helps
Thanks… From what I have gathered..If you quickly looks at the "System Volume Information" folder you can tell if VSS is on and approx how much stuff has been copied/backed up. I started VMWARE stuff and all the tricks only to determine my drive did not have VSS turned on!! (heh!)
There is a free tool called Shadow Copy Explorer that allows you to view the contents of the Shadow Copies.
You can find it here..
http//