Course Curriculum
-
01
INTRODUCTION
-
Volume Shadow Copies
-
Introduction
-
How VSS Works
-
Forensic Importance
-
-
02
MANAGING VOLUME SHADOW COPIES
-
Managing Volume Shadow Copies
-
Volume Shadow Copy Registry Management
-
VssAdmin
-
Knowledge Check
-
-
03
ACCESSING LIVE VOLUME SHADOW COPIES
-
Accessing Live Volume Shadow Copies
-
Shadow Explorer
-
Extracting Files From A Volume Shadow Copy
-
Extracting Files From A Volume Shadow Copy - Exercise
-
Investigating VSC Registries
-
-
04
ACCESSING FORENSIC IMAGE VOLUME SHADOW COPIES
-
Accessing Forensic Image Volume Shadow Copies
-
Arsenal Image Mounter
-
VSCMount
-
VSC Binary Format
-
Catalog
-
Store
-
Knowledge Check
-
-
05
CONCLUSION & REFERENCES
-
Conclusion
-
References
-
6 CPE Credits
After completing this course, you will earn:
Learning Outcomes
After completing this course, you will learn the following.
-
Understand how Volume Shadow Copies can be used in forensics investigations
-
Gain experience in using several open-source tools used for investigating Volume Shadow Copies
-
Understand the binary format of files used by the Volume Shadow Copy Service
-
Develop skills in manually parsing Volume Shadow Copy binaries
Technical Requirements
For the hands-on labs in this course
-
Windows machine (recommended Windows 10)
-
Internet connection
-
Knowledge and basic use of the FTK Imager tool
-
Installation of ShadowExplorer
-
Installation of Arsenal Image Mounter
-
Installation of VSCMount
-
Optional: Knowledge of File System Forensics and use of a hex editor
What is next at Cyber 5W?
Add your email to the mailing list to get the latest updates