Volume Shadow Copies (VSCs) are important during Windows PC investigations as they contain historical snapshots of moments and activities in time. When a user deletes data from an active partition on a hard drive, data may exist in VSCs. Thus, it’s important to examine them during Windows investigations.

Cellebrite Inspector offers robust filters to zoom in on VSCs and filter the data contained in them. This video will cover how to isolate VSCs and how to filter within them. We’ll also explain the various filter options to ultimately ensure examiners are aware of how Cellebrite Inspector can make their investigations more efficient by leveraging robust filtering capabilities.

It’s wise for IT people to set up VSCs in case your forensic workstation goes down or your workplace computer crashes, and you expect to be able to revert back instantaneously to continue your daily actions.

When people go back and do mass deletions of files or if malware hits the system, they don’t think about how it looked historically. Are you actually going to take the time to revert back to all of your systems snapshots and delete the files from there? Most likely, not. Yet this is usually where criminals get sloppy and why this information can help during investigations.

In Inspector, under “Evidence,” you have the option to see all of the Shadow Copies from different points and times. You can simply check or uncheck the ones you want to look at.

If you hover above each Shadow Copy, you can also see its relevant date and time.

Depending on your investigation, you may only want to include time periods of interest and then expand your search, or you may want to include everything and then use file filters.

Under “File Filters,” I have “All” selected so when you scroll down to “Snapshot VSC” you can see the VSCs.

When you click “All Files,” you can see everything that is in those VSCs.

There are also many options for filtering files that have changed within a snapshot of files that exist in more than one snapshot.

The filtering option can be useful in two different ways:

  1. If you have an executable that landed on a system and you’re working on an incident response case, you may want to know how long it has been there. Just look back in the VSC.
  2. If you want to know how long ago someone deleted a file, this will show you which one it is unique in.

The last common filter that I use is files that are unique to the active partition or to a snapshot. If you only want to see things that are 100% unique and not duplicated across multiple images, this is the option you want to select.

Once you do this, the filtering is up to you. You can filter by file name, type, metadata, and more. I recommend watching the Ask the Expert segment on filtering so you can become more knowledgeable on the meaning of conditions and groups.

Volume Shadow Copies are critical to most Windows forensic investigations. It is very important not to overlook them and to know how Inspector searches for them, and the ways you can leverage them to dig deep into your investigations.

Share this post