1. Forensic analysis of volume shadow copy in Windows 7
- Author
-
S. C. Sreeja and C. Balan
- Subjects
Computer science ,business.industry ,Volume (computing) ,computer.software_genre ,Task (computing) ,Shadow ,Shadow memory ,Data_FILES ,Key (cryptography) ,Microsoft Windows ,Computer vision ,Data mining ,Artificial intelligence ,Suspect ,business ,computer ,Image restoration - Abstract
The main goal of an investigator in Cyber forensics methodology is to extract evidence related to the crime from the suspect's computer. In some cases, the task become more tedious if the suspect wiped out the evidence associated with the crime. Volume Shadow Copy is one of the key areas where evidence can be extracted even after wiping of previous information from the disk. Volume Shadow Copy is a windows operating system specific technology that creates snapshots of disk volumes. Although the suspect removes the information related to a crime, it may be possible to find out the traces by decoding and analyzing the volume shadow copies snapshots. This paper explains how to decode and analyze the Volume Shadow Copy files and obtain forensic related artifacts from windows 7 OS installed partition image by constructing shadow copy of the volume.
- Published
- 2016