This is a Volume Shadow-Copy Service (VSS) examination EnScript designed for EnCase.
The examiner uses the script by first mounting a target disk/volume using the EnCase Physical Disk Emulator (PDE) noting the volume(s) that have been mounted and then running the script.
The script will enumerate the volume shadow copies on the system and then present a dialog allowing the examiner to choose the volume shadow copies that he/she wishes to process.
The script will then mount the chosen shadow copies into sub-folders of a nominated root mount-point folder and then search for items in the current case that match filter criteria specified by the examiner. These criteria can be based on name, path file-extension and size.
The script will add the MD-5 hash of each item to a list of unique hashes and then iterate through all of the mounted volume shadow copies looking for files that match the same criteria.
If a file is found that matches the criteria but doesn't have a hash matching one of those in the list then it will be added to a logical evidence file (LEF). The user can choose whether to add additional copies of the same file or else exclude them.
The script uses WMI to enumerate the volume shadow copies on the system. This is more efficient and avoids problems interpreting the output of VSSADMIN on non-English systems.
Use of WMI also allows the script to present a list showing each volume shadow copy and the date it was created before the script starts processing. This last function allows the examiner to choose the volume shadow copies he/she wishes to process without having to process them all.
The following points should be noted:
- Some files from Windows 10 volume shadow copies may have incomplete data. It's not clear why.
- Starting with version 8.07, EnCase has native volume shadow copy support.
Additional help is provided in the form of a self-extracting PDF file, which will be written into the same folder as the script the first time the script is executed.Download Now