Section 1 — Why Attackers Can't Always Hide Their Tracks

When a sophisticated attacker gets into a system, one of the first things they think about is cleanup. We're talking file wipers, free space wipers, deleting archive files — the whole nine yards. Say they used a privilege escalation tool to move through the network. Before they leave, they'll try to wipe that tool so nobody finds it. Same goes for those .rar archives they used to bundle up stolen data before exfiltrating it — gone.

The problem for them (and the good news for us) is that Windows has been quietly taking snapshots of the system in the background the whole time. Even if an attacker nukes a file, there's a decent chance a copy of it is sitting in a volume shadow snapshot from a few hours or days earlier. That's the whole game here.

To know more about forensic Wipers: Link below

Section 2 — What Even Is a Volume Shadow Copy?

Let's back up a second. Volume Shadow Copies (VSCs) are point-in-time snapshots of your file system, managed by the Volume Shadow Copy Service (VSS). This thing has been around since Windows XP — though back then it was called System Restore points and it was a lot more limited.

Starting with Vista and Server 2008, Microsoft upgraded it significantly. Instead of just backing up a handful of key system files, VSS started capturing near-complete snapshots of the entire volume. That's a huge deal for forensics — we're talking recovering deleted executables, DLLs, drivers, registry files, event logs the attacker deleted. Basically rewinding the whole system to a previous state.

The way it works under the hood is called copy-on-write (COW). Whenever something gets written to disk, VSS first saves a backup copy of those data blocks before letting the new data overwrite them. These backed-up blocks are stored in 16KB chunks inside the System Volume Information folder, tracked by a catalog file named with a specific GUID.

Section 3 — The ScopeSnapshots Problem

Here's where things get a little annoying. Starting with Windows 8, Microsoft introduced a feature called ScopeSnapshots, which is now enabled by default on Windows 8, 8.1, 10, and 11.

When this is turned on, volume snapshots only capture files "relevant for system restore" — which basically brings us back to the limited Windows XP era. Files on the user's desktop, random directories, stuff an attacker might leave behind? Potentially not captured.

Windows Server platforms still use the full snapshot functionality — so if you're analyzing a server (which is often the most critical machine in an intrusion), you're in good shape. And on client systems you can disable ScopeSnapshots with a registry tweak shown below.

Also worth knowing — there's a small exclusion list at HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot for files VSS won't capture.

The hibernation file and page file are typically excluded too, though some have found them present in certain cases — so don't write them off completely.

Section 4 — Listing Available Shadow Copies

First thing you want to do on a live Windows machine is see what shadow copies are actually available. Open Command Prompt as Administrator and run the command below — replace C: with whatever drive you're targeting.

The output will show each shadow copy with its volume name, the originating machine, and — most importantly — the creation timestamp. That timestamp is how you figure out which snapshot might contain the evidence you're after.

Section 5 — Accessing Shadow Copies from a Live System

If you're working on a live machine and want to browse a shadow copy, symbolic links are your friend. Here's the process — once you've created the link, navigate to that folder in File Explorer or Command Prompt. It'll look just like a regular directory, but you're actually browsing the snapshot from that point in time. This is a quick way to pull files that have since been deleted or modified on the live system.

Section 6 — Analyzing Shadow Copies from a Disk Image

For critical systems — patient zero, the executive's laptop, whatever the main target was — you're going to want a full disk image. That way you have everything and you're not touching the live system any more than necessary. Here's where the real forensic tools come in.

Arsenal Image Mounter does something clever — it uses a driver to make the disk image look like a real physical SCSI drive to Windows. Once Windows thinks it's a real disk, it automatically exposes all the volume shadow copies on it.

When you need to work without relying on Windows, the libvshadow tools from Joachim Metz are fantastic. The two main tools are vshadowinfo (lists shadow copies) and vshadowmount (exposes them as raw disk images). Here's the full workflow:

 Link below

https://www.cyberengage.org/post/volume-shadow-copy-with-kape

Section 7 — Timeline Analysis with log2timeline

Here's where things get really powerful. If you're building a forensic timeline, log2timeline.py has built-in support for VSS. When you point it at a disk image, it'll prompt you to include shadow copies and let you pick which ones — none, some, or all.

The big challenge with VSS timeline analysis is duplicate data — the same event log entry might show up across five different snapshots. That's where psort's deduplication feature saves you. It filters out identical entries across snapshots so you're not drowning in noise.

To learn more using Plaso : log2timeline Link below

https://www.cyberengage.org/post/a-deep-dive-into-plaso-log2timeline-forensic-tools

Section 8 — What This Means for an Investigation

To put it simply — volume shadow copies can completely change the outcome of a case. Here's a snapshot of what you can realistically recover:

Even when a machine has been thoroughly wiped, shadow copies often survive because attackers either don't know about them, don't have time to clear them, or can't access them without administrative tools that would leave their own traces. Their oversight is your advantage.

Conclusion

Volume Shadow Copies are one of those features that exist quietly in the background, doing their job whether anyone pays attention or not. For forensic analysts, that's a gift. They give us a time machine — imperfect, yes, especially on modern Windows client systems with ScopeSnapshots enabled — but powerful enough to recover evidence that attackers thought was gone forever.

---------------------------------------------Dean-----------------------------------------------------------