Volume Shadow Copy Part 1


Introduction to project volume shadow copies

Windows Volume Shadow Copy service “creates a differential backup periodically to create a restore point for the user” (http://www.forensicswiki.org/wiki/Windows_Shadow_Volumes). The purpose of this project is to determine the structure behind Windows Volume Shadow Copy service and then compare the service’s performance on Windows XP, 7, 8 and 8.1. Although the service is currently known as File History in Windows 8 and above, the services serve the same purpose. We will be looking at File History in those versions of Windows. For this project, we will be creating virtual machines for each of the operating systems and generating data on them to analyze. After creating the data, we plan to test and see what information remains after the machine is restored to a past image. We will also be locating the file location of the service and will examine the file to see what information can be gained.


Research Questions: 

  1. How can this service be used to gather artifacts of a potential evidentiary value?
  2. How has the service changed with the different versions of Windows?
  3. Are shellbags affected by use of this service?

(Question 3 will be answered near the end of a project we will be starting in the near future.)


With this project, we hope to aid the Vermont forensics programs and compile  our research on the Volume Shadow Copy and File History services into a report that could serve as a reference.

-Kyle Tellers