SANS Digital Forensics and Incident Response Blog: Daily Archives: Sep 16, 2011

Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows

Creating Digital Forensic Filesystem Timelines From Multiple Windows Volume Shadow Copies

Introduction to Shadow Timelines:

This past weekend I was upgrading the SIFT Workstation to the new version and I realized I had not used the Windows version of the Sleuthkit tools in awhile. I usually demonstrate in class that many of the sleuthkit tools can work directly against the logical partitions of a Physical Hard Drive (e.g. \\.\\C:, \\.\\D:). It occurred to me that I had never tried to use the filesystem parser and timeline generator fls on a Windows Vista, Windows 7, or Windows 2008 Server ShadowCopyVolume.

We have known for some time now that you can image a Shadow Volume. I wrote a