Volume Shadow Copy Analysis
Tools Used: ShadowCopyView, Shadow Explorer, WinHex, FTK Imager
October 2025
- Accessed and analyzed Windows Volume Shadow Copies (VSS) to compare file system states over time and identify created/modified/deleted file activity using VSSAdmin and FTK Imager
- Extracted and recovered prior file versions from shadow copies with vss-carve, validating changes across multiple snapshots to support evidence integrity
- Built a file-change timeline from snapshot metadata and NTFS artifacts using Autopsy and comparison techniques to document system state progression