Back in December, Harlan Carvey posted a blog about the use of tools to analyze Volume Shadow Copies to uncover historic information about the operations of a system.
If malware has been running for a while or the user has been performing activities of interest, then looking at the Volume Shadow Copies can aid in that investigation.
Here is the link:
http://windowsir.blogspot.com/2015/12/working-with-shadow-volumes.html
Follow on Twitter: ITSECSAM
No comments:
Post a Comment