In Encase, I am trying to determine the way to natively view Volume Shadow copies. I have found the enscript, but when reading about it, it says that VSS analysis has native support since 8.07. I have tried right clicking on the entry to view the file structure, but no luck. I cannot seem to find much information about this on the internet either.
Hi,
EnCase 8.07 has native support for volume shadow copy (as you have mentioned). Â This can be accessed via the Device Menu for the evidence item.
Load the evidence into Entries
Right Click on the Evidence File (top of the tree pane)
Device -> Analyse Volume Shadow Copies
You should be presented with a dialog that lists each of the Volume Shadows Copies. Â You can then decided to either recover the full volume, or simply objects that meet certain criteria.
When recovery is completed it should present as a new evidence file/s.
The EnCase Online Help has some detail, however if you have access to Opentext MySupport - the release notes for EnCase 8.07 has more detail and some screenshots
Hope that helps a little
Â
Regards
@hommy0 thank you for getting back to me. Enjoy your weekend.