Chapter 3

Volume Shadow Copies

Chapter Outline

Introduction

What Are “Volume Shadow Copies”?

Registry Keys

Live Systems

ProDiscover

F-Response

Acquired Images

VHD Method

VMWare Method

Automating VSC Access

ProDiscover

Summary

Reference

Information in this Chapter

• What Are “Volume Shadow Copies”?

• Live Systems

• Acquired Images

Introduction

Every time a new version of the Windows operating system is announced or made public, a collective shudder ripples throughout the forensics community. What new features are going to be available in the next operating system version? What’s going to remain the same? What new challenges will we face? Some changes are minor; for example, the binary structure of the Windows Registry hasn’t changed among versions, ...

Get Windows Forensic Analysis Toolkit, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial