VSS In EnCase

In Encase, I am trying to determine the way to natively view Volume Shadow copies.  I have found the enscript, but when reading about it, it says that VSS analysis has native support since 8.07.  I have tried right clicking on the entry to view the file structure, but no luck. I cannot seem to find much information about this on the internet either.

Posted : 09/03/2021 6:30 pm
EnCase 8.07 has native support for volume shadow copy (as you have mentioned).  This can be accessed via the Device Menu for the evidence item.

Load the evidence into Entries

Right Click on the Evidence File (top of the tree pane)

Device -> Analyse Volume Shadow Copies

You should be presented with a dialog that lists each of the Volume Shadows Copies.  You can then decided to either recover the full volume, or simply objects that meet certain criteria.

When recovery is completed it should present as a new evidence file/s.

The EnCase Online Help has some detail, however if you have access to Opentext MySupport - the release notes for EnCase 8.07 has more detail and some screenshots

Hope that helps a little



Posted : 11/03/2021 5:27 pm
@hommy0 thank you for getting back to me.  Enjoy your weekend.

Posted : 12/03/2021 6:05 pm