VSS Examiner

VSS Examiner

363968

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

Quickly and easily identify and preserve data of interest in Microsoft Windows volume shadow copies.

14,591 downloads

Product compatibility

EnCase App Central

Description

This is a Volume Shadow-Copy Service (VSS) examination EnScript designed for EnCase.

The examiner uses the script by first mounting a target disk/volume using the EnCase Physical Disk Emulator (PDE) noting the volume(s) that have been mounted and then running the script.

The script will enumerate the volume shadow copies on the system and then present a dialog allowing the examiner to choose the volume shadow copies that he/she wishes to process.

The script will then mount the chosen shadow copies into sub-folders of a nominated root mount-point folder and then search for items in the current case that match filter criteria specified by the examiner. These criteria can be based on name, path file-extension and size.

The script will add the MD-5 hash of each item to a list of unique hashes and then iterate through all of the mounted volume shadow copies looking for files that match the same criteria.

If a file is found that matches the criteria but doesn't have a hash matching one of those in the list then it will be added to a logical evidence file (LEF). The user can choose whether to add additional copies of the same file or else exclude them.

The script uses WMI to enumerate the volume shadow copies on the system. This is more efficient and avoids problems interpreting the output of VSSADMIN on non-English systems.

Use of WMI also allows the script to present a list showing each volume shadow copy and the date it was created before the script starts processing. This last function allows the examiner to choose the volume shadow copies he/she wishes to process without having to process them all.

The following points should be noted:

Some files from Windows 10 volume shadow copies may have incomplete data. It's not clear why.
Starting with version 8.07, EnCase has native volume shadow copy support.

Additional help is provided in the form of a self-extracting PDF file, which will be written into the same folder as the script the first time the script is executed.

This script was developed for use in EnCase training. For more details, please click the following link: