Shadow Copy as CSV

Overview

Evidence: Shadow Copy as CSV Description: Dump Latest Shadow Copy Files Information in CSV Format Category: System Platform: Windows Short Name: shdwcopy Is Parsed: Yes - File listing exported to CSV Sent to Investigation Hub: Yes Collect File(s): No

Background

Volume Shadow Copy Service (VSS) creates point-in-time snapshots of volumes. These snapshots preserve the state of files at the time the snapshot was created, allowing access to previous versions of files even if they have been modified or deleted.

Shadow copies can contain previous versions of files before ransomware encryption, deleted files, and historical system state. They provide a way to recover data and analyze system state from a specific point in time.

Data Collected

Collection Method

This collector:

• Identifies the most recent shadow copy using GetLatestSnapshotDeviceName

• Enumerates all files recursively in the shadow copy

• Captures file metadata (timestamps, size, attributes)

• Exports to CSV format for analysis

Shadow copies are accessed via special device paths like \\?\HarddiskVolumeShadowCopy{N}\.

Usage

Shadow copies are invaluable for recovering evidence and analyzing historical system state. Investigators use this data to recover files before ransomware encryption, access deleted files preserved in snapshots, analyze previous system configurations, compare current state with historical snapshots, recover overwritten evidence, and establish what files existed at snapshot time.

Known Limitations

• Only processes the most recent shadow copy

• Shadow copies may not exist on all systems

• VSS may be disabled or snapshots deleted

• Snapshot age depends on creation schedule

• Large file listings can take time to generate

Notes

Shadow copies are often targeted by ransomware for deletion. The presence or absence of shadow copies can itself be evidence. Multiple shadow copies may exist but only the most recent is processed.