Windows Volume Shadow Copy

In Chapter 10, I’ll discuss restore points that are created by the system restore feature that appears in Windows XP and Windows Me. Windows Vista (and beyond) also uses restore points, but it stores its data in a much different and far more complex manner. As part of the system restore process, Windows Vista (and beyond) creates what are called volume shadow copies (VSCs). Whatever the Microsoft engineers may have taken away from forensic examiners with the introduction of Windows Vista, they gave back triple with this one!

What, therefore, is a volume shadow copy? Whereas Windows XP restore points took snapshots of critical system files, Windows Vista (and beyond) does much more. In essence, the Volume Shadow Service ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by Steve Bunting

Windows Volume Shadow Copy

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly