Forensic Analysis of Volume Shadow Service ($RecycleBin ) of Win10

Abstract

In Todays’ digital world everything is shifting into the smart technology and people have started relying on this digital world. Size of the storage media has also been increased day by day. When everything is shifted to the digital world therefore crime has also been shifted to the Digital crime. In digital crime finding out the digital evidence from the storage media is becoming complex and time consuming. It is better and interesting for the investigator to start carving for the evidence from the most crucial areas like windows Volume Shadow Service. Volume Shadow Copy is considered as gold mine for the forensic investigator as it generates differential backups. Previous versions of the files, Recycle bin and state of the $logfile get saved in Volume Shadow Copy which holds clumps of crucial data for the investigators. Volume Shadow Copy lets the investigator to understand the state of the system on a particular date. Whatever is deleted from the system even its deleted permanently with a wipe utility may have its presence in VSC (Volume Shadow Copy).Being not accessible to the user in normal environment and being “Read only” in nature preserves the evidences to a great extent.VSC in series gives the idea of routine and activities performed by the accused in a sequential manner. An experiment with two case scenarios e.g Case scenario1, stolen financial information and Case scenario 2, modified health information of a patient has been conducted to prove the importance of the Volume Shadow Copy. Methodology has been proposed to extract the data from the Volume Shadow Copy of Windows 10 to find the evidence from Volume Shadow Copy’s store which gives access to the previous version of not only the user files but also from the system files.