• Volume Shadow Copy Service – Well, What Do We Know

    This is a second post in continuation to the previous post on Volume Shadow Copies. We discussed that VSCs are valuable artifacts and their significance as they may contain evidence data that has been previously deleted. Shadow copies are read-only, so a user cannot delete files within shadow copies, but they can delete the entire shadow copy itself. This makes them a treasure trove for investigators as each version of VSC may provide the examiner with additional metadata that contributes to evidence. As this is a background service, users may be unaware of these shadow copies, and when the users…

  • Volume Shadow Copy – What Do We Have In The Shadows

    My forensic guru and mentor once told me how he handled a tight spot using Volume Shadow Copy. He taught me how & when to make use of them and their significance. Those were the times that actually taught me, tested me, geared me up for challenges and made sure learning happens along the way. I always had this quirk of writing what I’m learning, jotting down what I’m thinking, which I can retrieve later on and vouch for I learned something or not at all. And I always believe learning happens if and only if it was applied and…