vss_carver

Carves and recreates VSS catalog and store from Windows disk image.

Requirement

vss_carver.py -t <disk_image_type> -o <volume_offset_in_bytes> -i <disk_image> -c <catalog_file> -s <store_file>

Sort the catalog entries based on the $SI modification timestamp of the specified file. To sort the catalog entries correctly, it must be updated frequently (default: /Windows/System32/winevt/Logs/System.evtx).

vss_catalog_sorter.py -t <disk_image_type> -o <volume_offset_in_bytes> -i <disk_image> -c <catalog_file> -s <store_file> -m <exported_$MFT>

Mounts VSS snapshots with the use of extended vshadowmount (You can get pre-compiled vshadowmount from here)

vshadowmount -o <volume_offset_in_bytes> -c <catalog_file> -s <store_file> <disk_image> <mount_point>

vss_catalog_manipulator.py {list,move,remove,enable,disable} (see more details with "-h")

git clone https://github.com/mnrkbys/vss_carver.git

I am offering pre-compiled libyal libraries on precompiled_libyal_libs repository. I recommend using them.

Yogesh also is offering pre-compiled pyewf and pyvmdk in his mac_apt repository. Follow the instructions to install dependencies.

Of course, you can build them by yourself as same as Linux or macOS.

You have to compile libvshadow, libewf, and libvmdk. I'm offering patched source code on my repositories, libvshadow and libvmdk.

Do git clone them above, then follow the instructions to build libvshadow, libewf and libvmdk.

When you find a bug, don't just report error messages. In many cases, this is because the error message may not contain the root cause.

So I need real disk images to fix the bug. Of course, this is not the case if the disk image contains private data.