Coursera Plus Annual is 40% Off — Ends July 6.

Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Messing with Forensic Analysts - Modifying VSS Snapshots

BSidesLV via YouTube

Start learning Write review
Babbel Ad

Start speaking a new language. It’s just 3 weeks away.

Learn More → DataCamp Ad

Power BI Fundamentals - Create visualizations and dashboards from scratch

Learn More →

Overview

AI, Data Science & Cloud Certificates from Google, IBM & Meta — 40% Off
One plan covers every Professional Certificate on Coursera. 40% off Coursera Plus Annual.
Unlock All Certificates
Explore the intricacies of Volume Shadow Copy Service (VSS) snapshots and learn techniques to manipulate them in this 25-minute conference talk from BSidesLV 2017. Delve into the basics of VSS, its importance in forensic analysis, and the on-disk format including NTFS headers and data block lists. Discover methods for writing data to snapshots, understanding block descriptors, and modifying timestamps. Gain insights on detecting snapshot modifications and the challenges involved in uncovering such alterations. Conclude with a live demonstration and a Q&A session to enhance your understanding of VSS snapshot manipulation and its implications for forensic analysts.

Syllabus

Introduction
What is VSS
Basics of VSS
Why should you care
Examples
Documentation
On Disk Format
NTFS Header
What is in a Store
Data Block List
Example Snapshot
Writing Data to a Snapshot
Block Descriptors
The Really Good Stuff
Demo
How to tell if a snapshot has been modified
Hardest way to find out
Modify timestamps
Questions

Taught by

BSidesLV

Reviews

Start your review of Messing with Forensic Analysts - Modifying VSS Snapshots

Start learning

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Sign up for free
Someone learning on their laptop while sitting on the floor.