CSI: Windows – The Adventures with Volume Shadow Copy in Digital Forensics -Episode 1

CSI: Windows – The Adventures with Volume Shadow Copy in Digital Forensics -Episode 1

Today, we’re donning our forensic hats and diving into the depths of another interesting evidence trail a file named “Volume Shadow Copy”, uncovering its secrets and unraveling the mysteries it holds for those skilled in the art of digital investigation.

Imagine this: a suspect attempts to cover their tracks by deleting incriminating files, thinking they’ve left no evidence behind. Little do they know, Volume Shadow Copy is silently recording their every move, like a digital witness lurking in the shadows. It’s here that the savvy forensic examiner enters the scene, armed with the knowledge and tools to peer into the past and unveil the truth.

At its core, Volume Shadow Copy is a built-in Windows feature that quietly creates snapshots of your system at various points in time, effectively capturing a moment in the digital continuum.

Volume Shadow Copy (VSC) snapshots are typically stored in a hidden system folder within the Windows operating system. In general, though, VSC snapshots are stored in the “System Volume Information” folder. for example : C:\SystemVolumeInformation

Once the shadow copies are unearthed, the real detective work begins. Each Volume Shadow Copy contains a snapshot of the system at a specific point in time, including files, directories, and even registry settings.

Volume Shadow Copy isn’t exactly the most glamorous of computer features. It’s like the member at the family reunion—always there, but rarely acknowledged until you really need them. But when push comes to shove, if there, it can become your most important member for your investigation.

Volume Shadow Copy isn’t without its quirks and pitfalls. Sometimes, it decides to take a coffee break right when you need it most, leaving you high and dry about those deleted files and let’s not forget the classic case of “I thought I had it turned on, but turns out I was just talking to myself” scenario that leaves you cursing your past self for not being more diligent with backups.

To learn more you can take the Digital Forensics Course!

EC Council Digital Forensics!

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial
YouTube
YouTube
LinkedIn
LinkedIn
Share