Volume Shadow Copies
This method allows Encase users to explore the contents of Volume
Shadow Copies. As yet I have only tested this on a Windows 7×64
machine, I can not say how effective it will be on other systems.
Most of this method originates from the paper on the antiforensics.net
website from the attached link. (This was a repost of Harlan’s entry on the Windows IR Blog. See updated link in the “Research Links”)
1. Use the Enscript from Lance Mueller to make a ‘dd’ image of your
2. Use the VHDTool to create a Virtual Drive from your dd image.
3. Open Disk Management (Click Start enter diskmgmt.msc into the
search field )
4. Mount your VHD as a Virtual Disk selecting “Read Only”
5. This step needs more testing and unfortunately I do not have the
time to do it. If you try to use Shadow Explorer at this stage it will
be unable to see the Virtual Disk. There may be a command
line/registry hack which will enable this but I have not yet explored
this option. The solution I did find was to reboot the machine. Once
rebooted Shadow Explorer can quite happily access the Volume Shadow
Copies and allows you to export any relevant files. There is no search
Forensic Programs of Use
5/27/11- Changed the link for the AntiForensics.net reference in this post with the link to the original Windows IR Blog post by Harlan Carvey.