SANS Digital Forensics and Incident Response Blog: Daily Archives: Oct 10, 2008

VISTA and Windows 7 Shadow Volume Forensics

Shadow Copy Volume forensics will enable an investigator to examine data at many different time snapshots during aforensic examination. While XP Restore Point snapshots only gather key files including the registry, the shadow copy volume will allow access to them all. Investigating shadow copy volumes in organizations might become a key investigative tool for both e-Discovery and traditional forensics. First off, ahats off to Troy Larson, Senior Forensic Investigator from Microsoft,whojust put this information out into the forensic community. In addition to his own