tag:blogger.com,1999:blog-5057815281194312844.post4993310732157675648..comments2024-03-26T19:09:27.512+00:00Comments on Forensics from the sausage factory: Volume Shadow Copy Forensics - the Robocopy method Part 1DC1743http://www.blogger.com/profile/14186532367794900206noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5057815281194312844.post-86170379731224290372010-04-12T04:16:11.641+01:002010-04-12T04:16:11.641+01:00You aren't going to get to shadow copies on Vi...You aren't going to get to shadow copies on Vista and Windows 7 using an XP box. If you are doing Windows forensics work, you should be using WIndows 7 machines, or you will likely be leaving evidence in the image.<br /><br />As for this method of working with shadow copies, I think you might find addressing the shadow copies as shares less inclined to generate copy errors.<br /><br />Contact me at my office mail and I will send you my latest slides.<br /><br />Thanks again for a great post.Troyhttp://www.microsoft.comnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-37666273092796520902010-04-07T10:17:26.540+01:002010-04-07T10:17:26.540+01:00This is why you really need a Windows 7 box (real ...This is why you really need a Windows 7 box (real or VM). On an XP forensic box you can try and use a MS utility called dosdev.exe however making yourself a W7 VM will be more efficient in the long run.DC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-61001471262912832582010-04-07T10:01:51.705+01:002010-04-07T10:01:51.705+01:00Symbolic link is there only in Vista and Windows 7...Symbolic link is there only in Vista and Windows 7. How do you get around with the procedure on Windows XP?signonnoreply@blogger.com