Course Curriculum

    1. Volume Shadow Copies

    2. Introduction

    3. How VSS Works

    4. Forensic Importance

    1. Managing Volume Shadow Copies

    2. Volume Shadow Copy Registry Management

    3. VssAdmin

    4. Knowledge Check

    1. Accessing Live Volume Shadow Copies

    2. Shadow Explorer

    3. Extracting Files From A Volume Shadow Copy

    4. Extracting Files From A Volume Shadow Copy - Exercise

    5. Investigating VSC Registries

    1. Accessing Forensic Image Volume Shadow Copies

    2. Arsenal Image Mounter

    3. VSCMount

    4. VSC Binary Format

    5. Catalog

    6. Store

    7. Knowledge Check

    1. Conclusion

    2. References

About this course

  • $50.00
  • 22 lessons
  • 0 hours of video content

6 CPE Credits

After completing this course, you will earn:

Learning Outcomes

After completing this course, you will learn the following.

  • Understand how Volume Shadow Copies can be used in forensics investigations

  • Gain experience in using several open-source tools used for investigating Volume Shadow Copies

  • Understand the binary format of files used by the Volume Shadow Copy Service

  • Develop skills in manually parsing Volume Shadow Copy binaries

Technical Requirements

For the hands-on labs in this course

  • Windows machine (recommended Windows 10)

  • Internet connection

  • Knowledge and basic use of the FTK Imager tool

  • Installation of ShadowExplorer

  • Installation of Arsenal Image Mounter

  • Installation of VSCMount

  • Optional: Knowledge of File System Forensics and use of a hex editor

What is next at Cyber 5W?

Add your email to the mailing list to get the latest updates

Thank You