Volume Shadow Copies

Posted by:  /  Tags: , , , ,  /  Comments: 3

Author Name

Artifact Name
Volume Shadow Copies

Artifact/Program Version
Windows 7

This method allows Encase users to explore the contents of Volume
Shadow Copies. As yet I have only tested this on a Windows 7×64
machine, I can not say how effective it will be on other systems.

Most of this method originates from the paper on the
website from the attached link. (This was a repost of Harlan’s entry on the Windows IR Blog. See updated link in the “Research Links”)

1. Use the Enscript from Lance Mueller to make a ‘dd’ image of your
2. Use the VHDTool to create a Virtual Drive from your dd image.
3. Open Disk Management (Click Start enter diskmgmt.msc into the
search field )
4. Mount your VHD as a Virtual Disk selecting “Read Only”

5. This step needs more testing and unfortunately I do not have the
time to do it. If you try to use Shadow Explorer at this stage it will
be unable to see the Virtual Disk. There may be a command
line/registry hack which will enable this but I have not yet explored
this option. The solution I did find was to reboot the machine. Once
rebooted Shadow Explorer can quite happily access the Volume Shadow
Copies and allows you to export any relevant files. There is no search
option unfortunately.

Registry Keys

File Locations
System Restore

Research Links

Forensic Programs of Use
Shadow Explorer

5/27/11- Changed the link for the reference in this post with the link to the original Windows IR Blog post by Harlan Carvey.


H. Carvey

May 27, 2011

    Joe G

    May 27, 2011



    Thanks for the heads-up. I have updated this post accordingly.



May 27, 2011


My apologies Harlan. I hadn’t noticed that.

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment