Sunday, July 11, 2010

What's next in Volume Shadow Copies...?

Having just attended a presentation by Mark McKinnon (RedWolf Computer Forensics) and Lee Whitfield (Disklabs and Forensic4cast) at the SANS What Works in Forensics and Incident Response Summit 2010, I'd like to make a few comments on the excellent presentation by Mark and Lee. 

The presentation was on Volume Shadow Copies and started with a detailed description of what is currently known about this relatively new avenue in digital forensics.  From the information presented in this 1 hr presentation, if you have not started to think about Volume Shadow Copies, you had better start paying attention in the months to come.  While the process of getting information is moderately complex, the amount of information produced by the Volume Shadow Service will eventually be one of those tasks we must not ignore.  The presentation did a live demo of the product, and gave us an idea of just what we're missing.  While the state of the file may be dependent on the quality/existence of the previous snapshots in place, Mark and Lee have developed a tools which intends to automate the Volume Shadow Copy recovery process.  Timeline to release you ask....?  The authors indicated a few months.  They appear very committed to releasing a stable and tested product.

From their new site for Shadow Analyzer, here's a small idea of what the product can recover:
Shadow Analyser eliminates the hassle of analysing Microsoft volume shadow files. It allows a digital forensic investigators to take a disk image and, using that image:
■view the contents of the hard disk drive at a point in time
■recover deleted and erased files
■extract older versions of current files
■view historic date and time information for all files, both live and deleted
■view changes to files across days, weeks, or even months
■extract complete files from volume shadow files
The authors are putting a lot of time into the development of this tool; the shear volume of information that they are finding within the Volume Shadow Copies seems to be a driving force and motivation behind getting this tool to the end-stages of development.  You can follow their development on Twitter as well at @ShadowAnalyzer  .

Keep up the progress guys.....great presentation and even greater tool !!  Oh yeah....forgot to mention, the tool will be "tri-platform" - Win, Linux and Mac.

For more information on Volume Shadow Copies, take a look here:
Into the Shadows
Reliably recovering evidential data from Volume Shadow Copies in Windows Vista and Windows 7 (pdf)
Volume Shadow Copy Forensics - the Robocopy method Part 1
Volume Shadow Copy Forensics - the Robocopy method Part 2

More to come on the's take days to digest!


  1. I came across your blog today and was reading your posts when I came across this one. It was good timing because I just started looking into how to examine VSS today. Thanks for posting the various links on volume shadow copies. It makes for a good starting point.

  2. Thanks for the blogs.............
    Best Fingerprinting Services
    Our process for electronic fingerprinting uses high quality equipment, called fingerprint live scanner., Our process is virtually error-free, avoiding smudged readings and/or delivery errors often associated with the ink processing method.