TY - GEN
T1 - Silhouette
T2 - 7th FTRA International Conference on Future Information Technology, FutureTech 2012
AU - Bang, Jewan
AU - Lee, Sangjin
PY - 2012
Y1 - 2012
N2 - The Volume Shadow Copy Service is a backup infrastructure provided by Windows that creates point-in-time copies of a volume. Windows Vista and later versions use the service instead of the earlier restore point feature. Whereas the restore-point feature logically copies and stores specified files, Volume Shadow copies and stores only data that change in the volume. In a live system, Volume Shadow copies can be checked and recovered through commands provided by the system, but it is difficult to analyze files stored in the Volume Shadow copies of a dead system, such as a disk image, because only changed data are stored. Hence, this study analyzed the structure of Volume Shadow Copy files that are logically stored. This analysis confirmed the locations of changed data and original copies by identifying a structure that stores the file data stream to file system metadata. On the basis of our research, we propose a practical application by developing tools that enable recovery of snapshot data stored within Volume Shadow Copy files; we also present a successful case study.
AB - The Volume Shadow Copy Service is a backup infrastructure provided by Windows that creates point-in-time copies of a volume. Windows Vista and later versions use the service instead of the earlier restore point feature. Whereas the restore-point feature logically copies and stores specified files, Volume Shadow copies and stores only data that change in the volume. In a live system, Volume Shadow copies can be checked and recovered through commands provided by the system, but it is difficult to analyze files stored in the Volume Shadow copies of a dead system, such as a disk image, because only changed data are stored. Hence, this study analyzed the structure of Volume Shadow Copy files that are logically stored. This analysis confirmed the locations of changed data and original copies by identifying a structure that stores the file data stream to file system metadata. On the basis of our research, we propose a practical application by developing tools that enable recovery of snapshot data stored within Volume Shadow Copy files; we also present a successful case study.
KW - Backup recovery
KW - Digital evidence
KW - Digital forensics
KW - Windows
UR - http://www.scopus.com/inward/record.url?scp=84867060948&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84867060948&partnerID=8YFLogxK
U2 - 10.1007/978-94-007-4516-2_76
DO - 10.1007/978-94-007-4516-2_76
M3 - Conference contribution
AN - SCOPUS:84867060948
SN - 9789400745155
T3 - Lecture Notes in Electrical Engineering
SP - 721
EP - 730
BT - Future Information Technology, Application, and Service, FutureTech 2012
Y2 - 26 June 2012 through 28 June 2012
ER -