Shadow Copy as CSV
Overview
Section titled “Overview”Evidence: Shadow Copy as CSV
Description: Dump Latest Shadow Copy Files Information in CSV Format
Category: DiskFilesystem
Platform: windows
Short Name: shdwcopy
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Volume Shadow Copy Service (VSS) creates point-in-time snapshots of volumes. These snapshots preserve the state of files at the time the snapshot was created, allowing access to previous versions of files even if they have been modified or deleted.
Shadow copies can contain previous versions of files before ransomware encryption, deleted files, and historical system state. They provide a way to recover data and analyze system state from a specific point in time.
Data Collected
Section titled “Data Collected”This collector gathers structured data about shadow copy as csv.
Shadow Copy as CSV Data
Section titled “Shadow Copy as CSV Data”| Field | Description | Example |
|---|---|---|
Modified | File modification timestamp | 2023-10-15T14:30:00Z |
Accessed | File access timestamp | 2023-10-15T15:45:00Z |
Created | File creation timestamp | 2023-10-01T10:00:00Z |
IsDirectory | Whether entry is directory | + or empty |
FileSize | File size in bytes | 1048576 |
Attributes | File attributes (R=ReadOnly, H=Hidden, S=System, C=Compressed, E=Encrypted) | RHS |
FilePath | Full path within shadow copy | \?\HarddiskVolumeShadowCopy1\Users\user\Documents\file.txt |
Collection Method
Section titled “Collection Method”This collector:
- Identifies the most recent shadow copy using
GetLatestSnapshotDeviceName - Enumerates all files recursively in the shadow copy
- Captures file metadata (timestamps, size, attributes)
- Exports to CSV format for analysis
Shadow copies are accessed via special device paths like \\?\HarddiskVolumeShadowCopy{N}\.
Forensic Value
Section titled “Forensic Value”Shadow copies are invaluable for recovering evidence and analyzing historical system state. Investigators use this data to recover files before ransomware encryption, access deleted files preserved in snapshots, analyze previous system configurations, compare current state with historical snapshots, recover overwritten evidence, and establish what files existed at snapshot time.