Shadow Copy as CSV
Overview
Evidence: Shadow Copy as CSV Description: Dump Latest Shadow Copy Files Information in CSV Format Category: DiskFilesystem Platform: windows Short Name: shdwcopy Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
Volume Shadow Copy Service (VSS) creates point-in-time snapshots of volumes. These snapshots preserve the state of files at the time the snapshot was created, allowing access to previous versions of files even if they have been modified or deleted.
Shadow copies can contain previous versions of files before ransomware encryption, deleted files, and historical system state. They provide a way to recover data and analyze system state from a specific point in time.
Data Collected
This collector gathers structured data about shadow copy as csv.
Shadow Copy as CSV Data
Modified
File modification timestamp
2023-10-15T14:30:00Z
Accessed
File access timestamp
2023-10-15T15:45:00Z
Created
File creation timestamp
2023-10-01T10:00:00Z
IsDirectory
Whether entry is directory
+ or empty
FileSize
File size in bytes
1048576
Attributes
File attributes (R=ReadOnly, H=Hidden, S=System, C=Compressed, E=Encrypted)
RHS
FilePath
Full path within shadow copy
\?\HarddiskVolumeShadowCopy1\Users\user\Documents\file.txt
Collection Method
This collector:
Identifies the most recent shadow copy using
GetLatestSnapshotDeviceNameEnumerates all files recursively in the shadow copy
Captures file metadata (timestamps, size, attributes)
Exports to CSV format for analysis
Shadow copies are accessed via special device paths like \\?\HarddiskVolumeShadowCopy{N}\.
Forensic Value
Shadow copies are invaluable for recovering evidence and analyzing historical system state. Investigators use this data to recover files before ransomware encryption, access deleted files preserved in snapshots, analyze previous system configurations, compare current state with historical snapshots, recover overwritten evidence, and establish what files existed at snapshot time.
Last updated
Was this helpful?