Silhouette: Volume shadow copy analyzer

Jewan Bang, Sangjin Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    1 Citation (Scopus)

    Abstract

    The Volume Shadow Copy Service is a backup infrastructure provided by Windows that creates point-in-time copies of a volume. Windows Vista and later versions use the service instead of the earlier restore point feature. Whereas the restore-point feature logically copies and stores specified files, Volume Shadow copies and stores only data that change in the volume. In a live system, Volume Shadow copies can be checked and recovered through commands provided by the system, but it is difficult to analyze files stored in the Volume Shadow copies of a dead system, such as a disk image, because only changed data are stored. Hence, this study analyzed the structure of Volume Shadow Copy files that are logically stored. This analysis confirmed the locations of changed data and original copies by identifying a structure that stores the file data stream to file system metadata. On the basis of our research, we propose a practical application by developing tools that enable recovery of snapshot data stored within Volume Shadow Copy files; we also present a successful case study.

    Original languageEnglish
    Title of host publicationFuture Information Technology, Application, and Service, FutureTech 2012
    Pages721-730
    Number of pages10
    EditionVOL. 1
    DOIs
    Publication statusPublished - 2012
    Event7th FTRA International Conference on Future Information Technology, FutureTech 2012 - Vancouver, BC, Canada
    Duration: 2012 Jun 262012 Jun 28

    Publication series

    NameLecture Notes in Electrical Engineering
    NumberVOL. 1
    Volume164 LNEE
    ISSN (Print)1876-1100
    ISSN (Electronic)1876-1119

    Other

    Other7th FTRA International Conference on Future Information Technology, FutureTech 2012
    Country/TerritoryCanada
    CityVancouver, BC
    Period12/6/2612/6/28

    Keywords

    • Backup recovery
    • Digital evidence
    • Digital forensics
    • Windows

    ASJC Scopus subject areas

    • Industrial and Manufacturing Engineering

    Fingerprint

    Dive into the research topics of 'Silhouette: Volume shadow copy analyzer'. Together they form a unique fingerprint.

    Cite this