# Exploring Volume Shadow Copies Manually

Download and install Arsenal Image Mounter

{% embed url="<https://github.com/ArsenalRecon/Arsenal-Image-Mounter>" %}

Run Arsenal Image MountTool. This installs a virtual SCSI controller driver and allows you to interact with your image.

Mount your image with Arsenal Image Mounter

<div align="left"><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAcqFKR60dGwoJxmUG5%2F-MK8qAGQx3ZGrmJhiBki%2F-MK8tuQebJTLxz4jhgEJ%2Fimage.png?alt=media&#x26;token=5eb73c18-dda8-4656-bf64-6cedd329c180" alt=""></div>

Select ‘mount through libewf’ which is what we require (we’re mounting a split E01 image series which is in the EWF format).

Mount options. We require ‘Read only’ to preserve the integrity of our image.

<div align="left"><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAcqFKR60dGwoJxmUG5%2F-MK8qAGQx3ZGrmJhiBki%2F-MK8u9-6FTirBu5NmGsX%2Fimage.png?alt=media&#x26;token=e8a2f764-40e9-4c17-aa5b-ca1baf983f9c" alt="Select necessary options"></div>

<div align="left"><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAcqFKR60dGwoJxmUG5%2F-MK8qAGQx3ZGrmJhiBki%2F-MK8uAxnRVJ8y2_oP2zA%2Fimage.png?alt=media&#x26;token=e1a25cca-254a-4f65-a1aa-c36c18c494a8" alt="Disk is now mounted"></div>

\
Our primary/operating system partition is now mounted as K:

![](https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAcqFKR60dGwoJxmUG5%2F-MK8qAGQx3ZGrmJhiBki%2F-MK8uLOVqVSam3hH5opC%2Fimage.png?alt=media\&token=8a32af39-fb82-4430-9582-63ebd13f682f)

Open an elevated command prompt

```
C:> vssadmin list shadows /for=K:
```

<div align="left"><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAcqFKR60dGwoJxmUG5%2F-MK8qAGQx3ZGrmJhiBki%2F-MK8uQF69kbYAAihyjjF%2Fimage.png?alt=media&#x26;token=96b5b7cb-fb9c-40c9-a721-a8eb9e209703" alt=""></div>

Enter working directory

```
C:> cd C:\users\user\Desktop\Temp
```

Create symbolic link to required volume shadow copy

```
$ mklink /D vss4 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\
(make sure you include trailing slash after HarddiskVolumeShadowCopy4)

C:> cd vss4
C:> dir
```

<div align="left"><img src="https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAcqFKR60dGwoJxmUG5%2F-MK8qAGQx3ZGrmJhiBki%2F-MK8uvn9cFZN9xsBuphr%2Fimage.png?alt=media&#x26;token=64d40abf-c672-4d0a-9aef-eeb57d484f79" alt=""></div>

Obviously this will become rather tedious if you're searching multiple shadow copies across multiple disks, however if you're only looking to see whether a particular file exists in a known location, this can be a quick and easy method.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.iblue.team/general-notes-1/exploring-volume-shadow-copies-manually.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.