Abstract:
In Todays’ digital world everything is shifting into the smart technology and people
have started relying on this digital world. Size of the storage media has also been
increased day by day. When everything is shifted to the digital world therefore crime
has also been shifted to the Digital crime. In digital crime finding out the digital
evidence from the storage media is becoming complex and time consuming.
It is better and interesting for the investigator to start carving for the evidence from
the most crucial areas like windows Volume Shadow Service.
Volume Shadow Copy is considered as gold mine for the forensic investigator as it
generates differential backups. Previous versions of the files, Recycle bin and state
of the $logfile get saved in Volume Shadow Copy which holds clumps of crucial
data for the investigators.
Volume Shadow Copy lets the investigator to understand the state of the system on a
particular date. Whatever is deleted from the system even its deleted permanently with
a wipe utility may have its presence in VSC (Volume Shadow Copy).Being not
accessible to the user in normal environment and being “Read only” in nature preserves
the evidences to a great extent.VSC in series gives the idea of routine and activities
performed by the accused in a sequential manner. An experiment with two case
scenarios e.g Case scenario1, stolen financial information and Case scenario 2,
modified health information of a patient has been conducted to prove the importance of
the Volume Shadow Copy. Methodology has been proposed to extract the data from
the Volume Shadow Copy of Windows 10 to find the evidence from Volume Shadow
Copy’s store which gives access to the previous version of not only the user files but
also from the system files.
