Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

VSS Examiner

This is a Volume Shadow-Copy Service (VSS) examination EnScript designed for EnCase.

The examiner uses the script by first mounting a target disk/volume using the EnCase Physical Disk Emulator (PDE) noting the volume(s) that have been mounted and then running the script.

The script will enumerate the volume shadow copies on the system and then present a dialog allowing the examiner to choose the volume shadow copies that he/she wishes to process.

The script will then mount the chosen shadow copies into sub-folders of a nominated root mount-point folder and then search for items in the current case that match filter criteria specified by the examiner. These criteria can be based on name, path file-extension and size.

The script will add the MD-5 hash of each item to a list of unique hashes and then iterate through all of the mounted volume shadow copies looking for files that match the same criteria.

If a file is found that matches the criteria but doesn't have a hash matching one of those in the list then it will be added to a logical evidence file (LEF). The user can choose whether to add additional copies of the same file or else exclude them.

The script uses WMI to enumerate the volume shadow copies on the system. This is more efficient and avoids problems interpreting the output of VSSADMIN on non-English systems.

Use of WMI also allows the script to present a list showing each volume shadow copy and the date it was created before the script starts processing. This last function allows the examiner to choose the volume shadow copies he/she wishes to process without having to process them all.

The following points should be noted:

  • Some files from Windows 10 volume shadow copies may have incomplete data. It's not clear why.
  • Starting with version 8.07, EnCase has native volume shadow copy support.

Additional help is provided in the form of a self-extracting PDF file, which will be written into the same folder as the script the first time the script is executed.

Download Now



Version: 3.0.2
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

14358 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
7445 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
141 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
98 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
84 Downloads
App