Our Members:

Volume Shadow Copies

Computer forensics is the practice of collecting, analyzing, and presenting digital data in a manner that is legally admissible. It is commonly used in criminal investigations to identify and examine evidence found on computers and other digital devices.

One important tool used in computer forensics is the volume shadow copy. A volume shadow copy is a snapshot of data on a computer's hard drive that is automatically created by the operating system. This snapshot is taken at a specific point in time, and it can be used to recover data that has been deleted or otherwise lost. This data is extracted from a forensic image by a computer forensics examiner.

The role of volume shadow copies in computer forensics is to provide investigators with access to data that may not be readily available through other means. For example, if a suspect has deleted files from their computer in an attempt to hide evidence, a volume shadow copy may still contain those files. This can be particularly useful in cases where the suspect has also attempted to destroy the hard drive itself, as the volume shadow copy may still be accessible even if the hard drive has been damaged.

Volume shadow copies can also be used to recover data that has been encrypted or otherwise obscured. This is because the volume shadow copy is created before any encryption or obscuring is applied, so it contains the original, unaltered data. This can be especially useful in cases where the encryption key has been lost or destroyed, as the data in the volume shadow copy can be analyzed without the need for the key.

In addition to their role in recovering deleted or obscured data, volume shadow copies can also be used to identify patterns of behavior or activity on a computer. By analyzing multiple volume shadow copies, investigators can see how data on the computer has changed over time, and this can provide valuable insights into the actions of the user.

One potential limitation for computer forensic examiners is volume shadow copies are not always available. Depending on the operating system and the settings, a volume shadow copy may not be created for every single file on a computer, and there may be gaps in the data that is preserved. Additionally, the volume shadow copies themselves can be deleted or otherwise tampered with, which can make it difficult for investigators to access the data they contain.

Despite these limitations, volume shadow copies are an important tool in the arsenal of the computer forensics investigator. They provide a way to access data that may not be readily available through other means, and they can be an invaluable source of information in criminal investigations.

Recent forum updates

Tuesday, December 27, 2022 7:52 PM • Janet Smith
Wednesday, December 14, 2022 8:13 PM • David Benton
Wednesday, December 14, 2022 7:19 PM • Janet Smith

Subscription form

* Mandatory fields
*First name
*Last name

Featured member


The American Society of

     Digital Forensics & eDiscovery, Inc®

      For Digital Evidence Experts™

      2451 Cumberland Parkway, Suite 3382 

     Atlanta, GA 30339-6157

     (404) 919-1143











Copyright 2024

All Rights Reserved

Powered by Wild Apricot Membership Software