Silhouette: Volume shadow copy analyzer

Jewan Bang, Sangjin Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)


The Volume Shadow Copy Service is a backup infrastructure provided by Windows that creates point-in-time copies of a volume. Windows Vista and later versions use the service instead of the earlier restore point feature. Whereas the restore-point feature logically copies and stores specified files, Volume Shadow copies and stores only data that change in the volume. In a live system, Volume Shadow copies can be checked and recovered through commands provided by the system, but it is difficult to analyze files stored in the Volume Shadow copies of a dead system, such as a disk image, because only changed data are stored. Hence, this study analyzed the structure of Volume Shadow Copy files that are logically stored. This analysis confirmed the locations of changed data and original copies by identifying a structure that stores the file data stream to file system metadata. On the basis of our research, we propose a practical application by developing tools that enable recovery of snapshot data stored within Volume Shadow Copy files; we also present a successful case study.

Original languageEnglish
Title of host publicationFuture Information Technology, Application, and Service, FutureTech 2012
Number of pages10
EditionVOL. 1
Publication statusPublished - 2012
Event7th FTRA International Conference on Future Information Technology, FutureTech 2012 - Vancouver, BC, Canada
Duration: 2012 Jun 262012 Jun 28

Publication series

NameLecture Notes in Electrical Engineering
NumberVOL. 1
Volume164 LNEE
ISSN (Print)1876-1100
ISSN (Electronic)1876-1119


Other7th FTRA International Conference on Future Information Technology, FutureTech 2012
CityVancouver, BC


  • Backup recovery
  • Digital evidence
  • Digital forensics
  • Windows

ASJC Scopus subject areas

  • Industrial and Manufacturing Engineering


Dive into the research topics of 'Silhouette: Volume shadow copy analyzer'. Together they form a unique fingerprint.

Cite this