Shadow Volume Trash: $Recycle.Bin Forensics for Windows 7 and Windows Vista Shadow Volumes

According to Microsoft, over one-third of all data loss is the result of accidental file deletion or modification (Microsoft, 2003). The Volume Shadow Copy Service is a Windows operating system service that archives key data and system settings. This allows Windows 7 and Windows Vista to recover from accidental data deletion and from destabilizing events, such as a virus attack or the incorrect installation of a software or hardware device. This archiving service also makes it possible for a user to view " previous versions " of documents. Because of the amount of data that this service archives, it has been referred to as a gold mine of forensic evidence. One of the key sets of data that gets copied by the Volume Shadow Copy Service is the user's Recycle Bin data. Recycle Bin data includes records of the most recently discarded (" deleted ") files of the user. The process of archiving Recycle Bin data by the Volume Shadow Copy Service is achieved by taking a " volume snapshot. " " Volume snapshot " data is stored in what is known as a " shadow volume. " Because a " shadow volume " is not located within the traditional file-tree structure of the operating system, the usual methods employed by forensic computer examiners to analyze this data cannot be used. A new approach for examining this data is required. In the following pages, the author explains how the Volume Shadow Copy Service archives Recycle Bin data into shadow volumes. The use of the " vssadmin list shadows " command is introduced as a way to identify the shadow volumes that exist within an operating system. The author further explains how to create " symbolic links " to access individual shadow volumes. The challenges that a forensic computer examiner faces when attempting a manual examination of a shadow volume are also explained. The author concludes his exposition by suggesting the forensic computer examiner should use the software tool Shadow Miner, a tool that automates the forensic examination of Recycle Bin data that has been archived into a shadow volume.