Digital Forensics & Incident Response
Search…
Digital Forensics & Incident Response
Welcome
General Notes
S3FS Fuse and MinIO
Enable nested VT-X/AMD-V
mitm proxy
Exploring Volume Shadow Copies Manually
Resize VMDK/VDI
Resize VMDK on ESXi
Convert raw to vmdk
Favicon hashing and hunting with Shodan
WinRM/RemotePS
Windows Forensics
Security Patch/KB Install Date
Linux Forensics
Inspecting RPM/DEB packages
Common Locations
ESXi Forensics
Understanding ESXi
General Notes
Triage and Imaging
ESXi VMFS Exploration
Memory Forensics
Volatility
Acquisition
Incident Response
VirusTotal & hash lists
Unix-like Artifacts Collector (UAC)
Acquiring Linux VPS via SSH
AVML dump to SMB / AWS
China Chopper webshell
Logging Powershell activities
Compromised UniFi Controller
AnyDesk Remote Access
iOS Forensics
Checkm8 / checkra1n acquisitions/extractions
CTF / Challenges
DEFCON 2019 forensics
Tomcat shells
Magnet Weekly CTF
DFIR Madness CTF
Log Files
Windows
Malware Analysis
PDF Analysis
Walking the VAD tree
OpenCTI
What is CTI/OpenCTI?
Setting up OpenCTI
Container Management
Configure Connectors
Powered By GitBook
Exploring Volume Shadow Copies Manually
How to explore volume shadow copies manually with opensource tools
Download and install Arsenal Image Mounter
GitHub - ArsenalRecon/Arsenal-Image-Mounter: Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows.
GitHub
Run Arsenal Image MountTool. This installs a virtual SCSI controller driver and allows you to interact with your image.
Mount your image with Arsenal Image Mounter
Select ‘mount through libewf’ which is what we require (we’re mounting a split E01 image series which is in the EWF format).
Mount options. We require ‘Read only’ to preserve the integrity of our image.
Select necessary options
Disk is now mounted
Our primary/operating system partition is now mounted as K:
Open an elevated command prompt
C:> vssadmin list shadows /for=K:
Enter working directory
C:> cd C:\users\user\Desktop\Temp
Create symbolic link to required volume shadow copy
$ mklink /D vss4 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\
(make sure you include trailing slash after HarddiskVolumeShadowCopy4)
​
C:> cd vss4
C:> dir
Obviously this will become rather tedious if you're searching multiple shadow copies across multiple disks, however if you're only looking to see whether a particular file exists in a known location, this can be a quick and easy method.
General Notes - Previous
mitm proxy
Next - General Notes
Resize VMDK/VDI
Last modified 1yr ago
Copy link