Australian software company GetData Forensics adds Volume Shadow Copy analysis to Forensic Explorer.
“Volume Shadow Copies are a potential gold mine for the forensic investigator” said GetData Managing Director John Hunter. “Until recent times they have often been overlooked due to difficulty of access. Forensic Explorer changes this”.
The Volume Shadow Copy Service (VSS), introduced in Windows Vista, creates a differential backup of the contents of an NTFS drive. Shadow copies are automatically created by Windows at regular intervals, but they can also be created by installation of third party software, or manually by the user. By examining a Shadow Copy it is possible to view previous versions of a file or directory.Forensic Explorer offers a simple two click process to select and mount one or more shadow copy restore points. An entire shadow copy volume can be mounted, or only those files that are different to the existing file system. A simple color coding system means that different versions of the same document can easily be identified. It is also likely that shadow copies contain deleted files which are no longer present in the existing file system. Shadow copy analysis can truly give access to data that may otherwise be missed.
“We are excited to see how Forensic Explorer users put shadow copy analysis to task in their cases” said Hunter. “We are continuing to develop techniques to best visualize this important data in the context of a case”.
Forensic Explorer is available for evaluation at http://www.forensicexplorer.com