Its been a long time after my previous post.
Today I was following #ceic @ twitter for things happening around there. Something interesting got into , that's "Volume Shadow".
As most of us know it available in NTFS filesystem,only. If you were interested in knowing the basic of Volume Shadow, click here.
LibShadow can be use to parse the Volume Shadow supporting files. You can download the beta version click here
How to use LibShadow?
youtube is the best player for most of us.
To get all the supporting files, I have written an small EnScript which can help you to get copy from the E01 or RAW from EnCase software.
Hash value is computed for each supporting file as addon forensic feature, hahahah...!