OVERVIEW: Shadow copies are point in time back ups on current Windows Operating systems. These back ups can hold the evidence that you need to prove your case. However, you just simply can't open them and look around. There is a difficult way to look at shadow copies, which can tamper evidence, and there is the easy and forensically sound way of looking at shadow copies using EKL Shadow Scanner.
Shadow Scanner is a special and simple-to-use software program designed to access the files stored in Shadow Copies, and to identify the original dates and times these files were created, modified and accessed. Shadow Scanner software can access these files on an attached drive and not only allow for the review of the files, but also allows for all files to be recovered in a folder system identical to the one on the original evidence drive.
PRIMARY TOPICS FOR THIS WEBINAR INCLUDE:
Identify what a Shadow Copy is, where it is located, and what it contains.
Use Shadow Scanner to access the Shadow Copies, and understand the results of the scan.
Export the evidence files to a folder structure so that we can have it ready for trial.
Create a report explaining what techniques we used, and how to explain it to a jury.