More on Volume Shadow Copies

In a recent blog entry we highlighted BlackLight's ability to parse and display Volume Shadow Copies (VSCs), one of several new Windows analysis features in 2016 R1. As discussed in the previous entry, VSCs can be extremely important from a forensic standpoint in cases involving Windows volumes.

There's one aspect about viewing VSCs in BlackLight that was not covered in the prior entry, and that's how to remove VSCs from a case. Say, for instance, you're working on a case in BlackLight and examining data from a Windows system (Windows 7, 1TB disk). You find there are 19 Volume Shadow Copies present, and once all of them are processed, the data set for the case grows to over 30TB! In this situation you may want to save space and remove some of the VSCs, keeping only the oldest and most recent VSCs. Since BlackLight does not show the VSCs as separate evidence items in the 'Component List' one might ask, "How would I remove a VSC once it has been processed?"

Here's how to do it. To remove a VSC from a case, follow these simple steps:


1.  In the 'Evidence Status' window, select the Rerun button in the 'Advanced' column for the appropriate Windows volume.

1-more-volume-shadow-copies

2. A window appears to display advanced processing options.

Select the Parse Volume Shadow Copies option and BlackLight displays the Windows volume and its available VSCs. Notice that BlackLight indicates which VSCs have been parsed and which VSCs remain unparsed.


3.  Right-click (or Control-click) the VSC to be removed, and select [Remove VSC...] from the contextual menu that appears. (Only VSCs that have been processed and added to the case are available for this action.)

2-more-volume-shadow-copies


4.  A dialog window appears, prompting for confirmation.

3-more-volume-shadow-copies

Select Remove, and the VSC is removed from the case file.

Repeat this process to remove any additional VSCs from the case. Alternatively, if desired the examiner can remove all available VSCs for a partition by right-clicking (or Control-clicking) the partition and choosing [Remove All VSCs For Partition...].

4-more-volume-shadow-copies

Have further questions about working with Volume Shadow Copies, or other aspects of digital forensics? Feel free to reach out to the BlackBag training team for assistance. We're here to help.

Leave a Reply

Sorry, you must be logged in to post a comment.