Notifications
Clear all

VSS Query

2 Posts
1 Users
0 Reactions
933 Views
(@aristotle_juris)
New Member
Joined: 7 months ago
Posts: 2
Topic starter  

Hello Everyone, 

I'm trying to tighten up my understanding of VSS and their potential value to a forensic investigation. For some context, I am in a situation whereby I have access to a live system remotely, with no ability to use "proper" forensics tools for acquisition. I essentially want to get as much data as I can, in the most efficient way possible. I cannot use any executables, but I can script with PowerShell. 

I have been exploring the concept of creating a VSS on the remote device and then collecting all the evidence from this. I understand that the VSS is a snapshot in time of the artefacts on the device, and are not exact copies. With that, if I copy say, the SECURITY key from the Registry from that device to my local device, will it only contain partial information? Or will it contain all of the information contained within the registry at the point the VSS was taken?

Thanks for any advice in advance. 


   
Quote
(@aristotle_juris)
New Member
Joined: 7 months ago
Posts: 2
Topic starter  

I should also point out that I know I need to mount the VSS using a symlink first. 


   
ReplyQuote
Share: