Backups

vssadmin list shadows /for=<path_to_drive> # /for=c: for a logial drive

dd.exe if=\\.\HardDiskVolumeShadowCopy1 of=g:\shadow.img # for Windows, using the above mentioned version of dd, we type `if` and `of` instead of `-if` and `-of`.
# what's --localwrt

📘 vshadowinfo [-o NTFS_volume_offset] image_or_volume # -o is optional, and only use when analysing a phisical drive, not a logical volume. 

# If you have a E01 instead of a raw image file, use ewfmount utility first
📘 ewfmount image.E01 /mnt/mountname # make the system see E01 as a raw disk

📘 vshadowmount /mnt/mountname/submountname1 /mnt/vss # mount all VSC at /mnt/vss

📘 cd /mnt/vss && ls # list all available VSC

📘 mount -o ro, loop, show_sys_files,streams_interface=windows vss2 /mnt/shadow_m/vss2 # mount specific VSC. SIFT workstations now have an alias for this command: mountwin. ro - read-only. loop - This option is used when you're mounting a file that contains a file system, rather than a physical device. For example, this option is commonly used when mounting an ISO file. show_sys_files enables display of system files, which are normally hidden. The last option changes how NTFS Alternate Data Streams (ADS) are accessed, making it more like how they are accessed on a Windows system.

# you can automatically mount all the VSC availble with a loop
for i in vss*; do mountwin $i /mnt/shadow_m/$i; done

# run a timeline tool agains a VSC retrieved
📘 log2timeline.py plaso.dump imagefile
📘 psort plaso.dump # remove duplicates

📘 fls -r -m C: \\.\HarddiskVolumeShadowCopy12 >> bodyfile # can be used to analyse VSC, it's faster since it processes metadata only. 
📘 log2timeline.pl -f mactime -w timeline.csv -Z UTC bodyfile # convert