Difference between pages "Template talk:Neutral" and "Windows Shadow Volumes"

Revision as of 14:16, 27 August 2012

Volume Shadow Copy Service

Windows has included the Volume Shadow Copy Service in it's releases since Windows XP. The Shadow Copy Service creates differential backups periodically to create restore points for the user. Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to mount shadow volumes on disk images.

Also see

Mount shadow volumes on disk images

External Links

VISTA and Windows 7 Shadow Volume Forensics, by Rob Lee, October 2008
Into The Shadows and Presentation, by Lee Whitfield, April 2010
Accessing Volume Shadow Copies, by Harlan Carvey, January 2011
Volume Shadow Snapshot format, by the libvshadow projects, March 2011
Volume Shadow Copy with ProDiscover, May 2011
Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows, by Rob Lee, September 2011
Examining Volume Shadow Copies – The Easy Way!, by Simon Key, June 2012
Getting Ready for a Shadow Volume Exam, by Jimmy Weg, June 2012
Mounting Shadow Volumes, by Jimmy Weg, July 2012
Examining the Shadow Volumes with X-Ways Forensics, by Jimmy Weg, July 2012
“Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”, by Jimmy Weg, August 2012

Tools

EnCase with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
libvshadow
ProDiscover
ShadowExplorer
VSC Toolset

@@ Line 1: / Line 1: @@
-Comparison review of Data copy king and Ninja
+==Volume Shadow Copy Service==
+Windows has included the Volume Shadow Copy Service in it's releases since Windows XP.  The Shadow Copy Service creates differential backups periodically to create restore points for the user.  Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
-The comparison table will help the potential customer to compare and make a choice with one single sight between Data copy king and Ninja duplicator.
+== Also see ==
+* [[Mount shadow volumes on disk images]]
-Data copy king	Ninja
+== External Links ==
-	Review results
+* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
-General
+* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
-Picture
+* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
-Time to market	2010	N/A
+* [http://code.google.com/p/libvshadow/downloads/detail?name=Volume%20Shadow%20Snapshot%20%28VSS%29%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow projects]], March 2011
-Price 	1,998USD	1,590 USD
+* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
-Drive connectivity  	One to one 	One to one
+* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
-Potable design  	Stand-alone/potable 	Option
+* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
-Drive capacity supported 	TB-level hard drives( up to 131072TB)	Mostly target to small capacity hard drives
+* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
-Drive supported	IDE/SATA
+* [http://justaskweg.com/?p=466 Mounting Shadow Volumes], by [[Jimmy Weg]], July 2012
-RAID/external hard drive / SSD / flash storage media (USB, SD, CF, memory stick etc) with optional adaptor	IDE/SATA
+* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
+* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
-Duplication functions
+== Tools ==
-Coping rate	6.0GB/min	4GB/min
+* [[EnCase]] with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
-Test, wipe repair functions
+* [[libvshadow]]
-Erasing transfer rate 	6.6GB/min	2-5 GB/min
+* [[ProDiscover]]
-Data wiping	Yes ⑧
+* [http://www.shadowexplorer.com/ ShadowExplorer]
-Optional(charge $700 to forensic version with hdd test)
+* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
-HDD test	Yes	Optional (charge $400 to ninja kaze together with data wiping)
-Test without altering HDD data	Yes 	No
-Control the imaging process ⑤
-Yes
-	Yes
-Data recovery functions
+[[Category:Volume Systems]]
-Bad sector repair ①
-Yes	No
-Clicking noises handling ②
-Yes
-	No
-Physical read-only	Yes 	Yes
-Forensic functions
-Access to HPA and doc hidden area	Yes 	Yes
-Smart drive reset/reboot  ④
-Yes
-	N/A⑨
-Backdoor design ⑩
-No 	N/A
-verification	CRC32 /SHA-256	CRC
-Data erasing standard	Yes with DoD--5220.22-M/PRC-- BMB21-2007⑥
-No
-DD image	Available in upgrade 	No
-MD5 hash calculation	Available in upgrade	No
-Log auto generation 	Yes 	Yes
-Log export and print	Yes 	No
-Others
-Touch Screen User Interface	Yes 	Yes
-User authority⑦
-three-level password	No
-Language 	English (Customized to other languages)	Only English
-Upgradable 	free lifelong software upgrade 	No
-Technique support 	Free lifelong support	Limited free support
-Warranty 	One year with 3 year optional 	N/A
-NOTE: Words in green refers to the distinguishing features of DCK
-① Traditional disk imaging tools and methods are designed to deal with intact hard drives, not the unstable ones with bad sectors that are your stock-in-trade. Bad sector handling is capable of the patient Drives with stop responding, disks degrade or fail under intensive reading, valuable files remain locked in bad sectors.
-② Hard drive suffered clicking noises, only if the patient drive is still recognized in the bios, Data copy king is able to clone 300% more data than other data image tools from the patient drive
-③ Data loss due to accidental deletion, accidental format, file corruption, software bugs, file system corruption, viruses, etc
-④ Automatically resets/reboots drives that become unresponsive to continue imaging process
-⑤ Stop or continue the imaging process as you need
-⑥ DOD—Department of Defense
-PRC--the People's Republic of China
-⑦ Three-level user password setting to secure the confidential data
-⑧ YES – available
-⑨ N/A—NOT Available
-⑩ A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.
-Info provided in the review comes from following two websites:
-SalvationDATA Technology           http://www.salvationdata.com/data-recovery-equipment/data-copy-king.htm
-Ninja
-http://www.hdd.ji2.com/products/ninja.html

Difference between pages "Template talk:Neutral" and "Windows Shadow Volumes"

Revision as of 14:16, 27 August 2012

Contents

Volume Shadow Copy Service

Also see

External Links

Tools

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox