Fast Shadow Copy Access with Forensic Explorer

Share Article

Australian software company GetData Forensics adds Volume Shadow Copy analysis to Forensic Explorer.

Computer Forensics Software

Forensics Explorer Shadow Copy Analysis

A potential gold mine for the forensic investigator

“Volume Shadow Copies are a potential gold mine for the forensic investigator” said GetData Managing Director John Hunter. “Until recent times they have often been overlooked due to difficulty of access. Forensic Explorer changes this”.

The Volume Shadow Copy Service (VSS), introduced in Windows Vista, creates a differential backup of the contents of an NTFS drive. Shadow copies are automatically created by Windows at regular intervals, but they can also be created by installation of third party software, or manually by the user. By examining a Shadow Copy it is possible to view previous versions of a file or directory.

Forensic Explorer offers a simple two click process to select and mount one or more shadow copy restore points. An entire shadow copy volume can be mounted, or only those files that are different to the existing file system. A simple color coding system means that different versions of the same document can easily be identified. It is also likely that shadow copies contain deleted files which are no longer present in the existing file system. Shadow copy analysis can truly give access to data that may otherwise be missed.

“We are excited to see how Forensic Explorer users put shadow copy analysis to task in their cases” said Hunter. “We are continuing to develop techniques to best visualize this important data in the context of a case”.

Forensic Explorer is available for evaluation at http://www.forensicexplorer.com.

Share article on socal media or email:

View article via:

Pdf Print

Contact Author

Graham Henley

Graham Henley
Follow us on
Visit website