Exploring Volume Shadow Copies Manually

How to explore volume shadow copies manually with opensource tools

Download and install Arsenal Image Mounter
GitHub - ArsenalRecon/Arsenal-Image-Mounter: Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows.
GitHub
Run Arsenal Image MountTool. This installs a virtual SCSI controller driver and allows you to interact with your image.
Mount your image with Arsenal Image Mounter

Select ‘mount through libewf’ which is what we require (we’re mounting a split E01 image series which is in the EWF format).
Mount options. We require ‘Read only’ to preserve the integrity of our image.
Select necessary options
Disk is now mounted

Our primary/operating system partition is now mounted as K:
Open an elevated command prompt
C:> vssadmin list shadows /for=K:
Enter working directory
C:> cd C:\users\user\Desktop\Temp
Create symbolic link to required volume shadow copy
$ mklink /D vss4 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\
(make sure you include trailing slash after HarddiskVolumeShadowCopy4)
​
C:> cd vss4
C:> dir
Obviously this will become rather tedious if you're searching multiple shadow copies across multiple disks, however if you're only looking to see whether a particular file exists in a known location, this can be a quick and easy method.

General Notes - Previous

mitm proxy

Next - General Notes

Resize VMDK/VDI

Last modified 2yr ago