Menu
Finely Tuned 001: In the Shadows

By Bobby R. Williams Jr. on 7/22/20 9:00 AM

It knows what you have done. It remembers. It lies lurking in the shadows, waiting to be parsed … It is … your data.

Specifically, it is a snapshot of your data. Machines running Microsoft Windows operating systems can be set to generate a backup copy of volumes or files. These copies can even be created when the source files are in use.  The backups are called Volume Shadow Copies, but you may see them referenced as VSS (Volume Snapshot Service). There are earlier versions of this same basic function. Older versions of Windows could deploy System Restore points and/or Previous Version used to access prior versions of files and folders. These snapshots exist to restore your system to earlier points in time.

Why are shadow copies significant?

From a forensic perspective, shadow copies will contain older versions of system data. Artifacts that hold valuable data may have limited historical content in their default locations. If our investigation requires a look further into the past, VSS may have the answer. An older version of the same artifact could have the information you seek. This function is usually switched on by default. Unfortunately, many organizations turn the function off because of the mistaken belief that it hogs resources. It should be noted that the snapshots are usually quite small. Also, if your hard drive is the full, the Volume Snapshot Service will not run.

What’s my takeaway?

If you are not using Volume Shadow copies, you should start. Generating a shadow copy is seamless, especially when compared to its predecessors. Shadow copies require minimal resources and use almost no overhead. By turning on VSS, you decrease the likelihood of data loss and increase the retention of valuable forensic artifacts. All by using a tool already included in your operating system.


iDiscovery Solutions, Inc. (iDS) is an award-winning, global, and expert services firm that delivers customized, innovative solutions for legal and corporate clients’ complex challenges. iDS’ subject matter experts testify and consult in connection with electronic discovery (eDiscovery), digital forensics, data analytics, and cybersecurity/information governance.