What we found in the Volume Shadow Copy for Windows 7
After creating a raw image of the Volume Shadow Copy, we were able to view it in both FTK and Encase. We most often used Encase to examine the raw image file and received positive results. We cross referenced the log of what was done on the original virtual machine image with what we saw in Encase. We were able to view the activity logged on the original image, including all of the browser history, a downloaded picture, and a file that was sent to the recycling bin. We found this pretty exciting, as this shows the importance of Volume Shadow Copies to forensic investigators. We also discovered that with the new version of Internet Evidence Finder (V. 6.3) they integrated a Volume Shadow Copy viewer that was more precise and more reliable. We only ran the trial so we did not get the full results but we did get a good amount of information from IEF which matched our results from Encase.
We were able to view the downloading of the image and a large portion of the browser history that matched up with the log. This was even more encouraging, as it backed up our results from the raw image of the Volume Shadow Copy. Being able to view Volume Shadow Copies is a valuable asset to forensic examiners and law enforcement. These results enforce our belief that you can discover a lot about what was stored on a device at a certain time with Volume Shadow Copies.
To read the previous Volume Shadow Copy blog, go here:
http://computerforensicsblog.champlain.edu/2014/02/05/volume-shadow-copy-part-2/
-Scott Barrett