System Volume Information – An Overview
System Volume Information consists of a ‘hidden’ Windows system directory that contains a backup within shadow copy files of the user and system stored files.
The Microsoft Windows operating system automatically stores a backup of files present on the hard drive and places these files within a ‘hidden’ and compressed system folder named the System Volume Information directory. This backup process can also be manually carried out by the user.
If there is a system or software failure or corruption then the content of the System Volume Information directory can be restored to allow the computer to return to a previous correctly working point.
A normal user is unlikely to be aware of the presence of the System Volume Information directory or the files within it as the folder is ‘hidden’ by default and individual files present cannot be accessed in the normal way.
When the computer is restored using the content of the System Volume Information directory, any current files are replaced with the Shadow Volume Copy files.
Volume Shadow Copy Files
The Volume Snapshot Service (VSS) creates the backup files that consist of a snapshot of the system at the time and any data that has changed since the previous snapshot is stored within the System Volume Information directory.
The Volume Shadow Copy files can be stored on local or external volumes by Windows systems using the NTFS or ReFS file systems.
The Volume Shadow Copy service are created on a fixed basis (e.g. weekly) and they can also be created prior to the installation of software or a Windows update so that the system can be returned to a working state in the event of failure.
System Volume Information and Volume Shadow Copy Files within Computer Forensic Investigations
The Volume Shadow Copy files within the System Volume Information folder may contain previous versions of files that still exist on the computer and can also contain files that have been subsequently removed from the Windows based system.
Therefore, the content of the Volume Shadow Copy files can be significant to investigations of various scenarios including the alteration of documents or the presence of illegal images.
The Volume Shadow Copy files can also contain Internet browsing activity or related files that can allow the investigator to identify the source or origins of an image or file and, potentially the user operating the computer at a given time.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.