Your data knows. Your data remembers. It's always there to be a gentle reminder. iDiscovery Solutions forensics managing consultant, Bobby Williams, offers insight on data snapshots and operating systems, the significance from a forensics perspective and what we can take away from all of this.
It knows what you have done. It remembers. It lies lurking in the shadows, waiting to be parsed. It is … your data.
Specifically, it is a snapshot of your data. Machines running Microsoft Windows operating systems can be set to generate a backup copy of volumes or files. These copies can even be created when the source files are in use. The backups are called Volume Shadow Copies, but you may see them referenced as VSS (Volume Snapshot Service). There are earlier versions of this same basic function. Older versions of Windows could deploy System Restore points and/or Previous Version used to access prior versions of files and folders. These snapshots exist to restore your system to earlier points in time.
Why is this significant?
From a forensic perspective, shadow copies will contain older versions of system data. Artifacts that hold valuable data may have limited historical content in their default locations. If our investigation requires a look further into the past, VSS may have the answer. An older version of the same artifact could have the information you seek. This function is usually switched on by default. Unfortunately, many organizations turn the function off because of the mistaken belief that it hogs resources. It should be noted that the snapshots are usually quite small. Also, if your hard drive is full, the Volume Snapshot Service will not run.
What’s the takeaway?
If you are not using Volume Shadow copies, you should start. Generating a shadow copy is seamless, especially when compared to its predecessors. Shadow copies require minimal resources and use almost no overhead. By turning on VSS, you decrease the likelihood of data loss and increase the retention of valuable forensic artifacts. All by using a tool already included in your operating system.
Published November 4, 2020.