Exploring Volume Shadow Copies Manually

How to explore volume shadow copies manually with opensource tools

Download and install Arsenal Image Mounter

GitHub - ArsenalRecon/Arsenal-Image-Mounter: Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows.GitHub

Run Arsenal Image MountTool. This installs a virtual SCSI controller driver and allows you to interact with your image.

Mount your image with Arsenal Image Mounter

Select ‘mount through libewf’ which is what we require (we’re mounting a split E01 image series which is in the EWF format).

Mount options. We require ‘Read only’ to preserve the integrity of our image.

Our primary/operating system partition is now mounted as K:

Open an elevated command prompt

C:> vssadmin list shadows /for=K:

Enter working directory

C:> cd C:\users\user\Desktop\Temp

Create symbolic link to required volume shadow copy

$ mklink /D vss4 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\
(make sure you include trailing slash after HarddiskVolumeShadowCopy4)

C:> cd vss4
C:> dir

Obviously this will become rather tedious if you're searching multiple shadow copies across multiple disks, however if you're only looking to see whether a particular file exists in a known location, this can be a quick and easy method.

Previousmitm proxy NextResize VMDK/VDI

Last updated 5 years ago