Scoped shadow copies

February 29, 2020February 29, 2020 ~ msuhanov ~ 3 Comments

Have you ever heard of scoped shadow copies? They have been around since the release of Windows 8, but not much information is available on this topic.

A shadow copy becomes scoped when data blocks not required by the system restore process are excluded from copy-on-write operations. When you create a restore point, a scoped shadow copy is created by default for a system volume (in Windows 8, 8.1 & 10).

Continue reading “Scoped shadow copies” →

Carving file control blocks from memory dumps

February 9, 2020February 10, 2020 ~ msuhanov ~ 1 Comment

There are forensic tools capable of carving file records and index entries ($I30) from memory dumps, but there is much more NTFS-related metadata which isn’t exposed by usual memory forensics frameworks. For example, file control blocks.

Continue reading “Carving file control blocks from memory dumps” →