Skip to content
/ ShadowForensic Public

Professional Windows Volume Shadow Copy (VSS) Analysis & Data Recovery Toolkit

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ismailtsdln/ShadowForensic

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
src/shadowforensic
src/shadowforensic
 
 
tests
tests
 
 
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 
logo.png
logo.png
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

ShadowForensic Logo

🕵️‍♂️ ShadowForensic

Professional Windows Volume Shadow Copy (VSS) Analysis & Data Recovery Toolkit

Python Version License: MIT CI Status

📖 Overview

ShadowForensic is a state-of-the-art forensic tool designed to streamline the investigation of Windows Volume Shadow Copies. Built for Digital Forensics and Incident Response (DFIR) professionals, it provides a modular, reliable, and high-performance framework to interact with the Volume Shadow Copy Service (VSS).

Unlike traditional scripts, ShadowForensic offers a robust CLI experience, multi-threaded recovery capabilities, and deep integration with Windows system calls for maximum efficiency.

✨ Key Features

  • 🔍 Advanced Listing: Detailed enumeration of all shadow copies, including creation dates and device objects.
  • 🆕 Live Creation: Instantly create new shadow copies for point-in-time forensic snapshots.
  • 📁 GlobalRoot Mounting: Securely mount shadow copies using symbolic links to bypass standard access restrictions.
  • 🚀 Turbo Recovery: Multi-threaded file extraction engine with customizable filters (extensions, sizes, etc.).
  • 🎨 Premium UI/UX: A beautiful, colorized CLI interface with progress indicators and structured data tables.
  • 🛡️ Forensic Integrity: Preserves original file metadata (timestamps) during the recovery process.

🛠 Installation

Prerequisites

  • Windows OS (Required for VSS interaction)
  • Python 3.10+
  • Administrator Privileges (Required for mounting and VSS operations)

Setup

# Clone the repository
git clone https://github.com/ismailtsdln/ShadowForensic.git
cd ShadowForensic

# Install the library and its dependencies
pip install .

🚀 Quick Start

1. List All Available Shadow Copies

shadowforensic list

2. Create a Point-in-Time Snapshot

shadowforensic create C:

3. Mount a Copy for Manual Inspection

shadowforensic mount {SHADOW_ID} C:\mnt\investigation_vss

4. Perform Advanced File Recovery

# Recover all JPEG and PDF files from a specific shadow copy
shadowforensic recover {SHADOW_ID} --filter "*.jpg" --filter "*.pdf" --output ./evidence_dump

🏗 Modular Architecture

ShadowForensic is built with extensibility in mind. You can use its core modules directly in your Python projects:

from shadowforensic.vss.wrapper import VSSWrapper
from shadowforensic.core.scanner import FileScanner, RecoveryOptions

vss = VSSWrapper()
copies = vss.list_shadow_copies()

# High-performance scanning
options = RecoveryOptions(filters=["*.docx"])
scanner = FileScanner(source_path="C:\\mnt\\shadow", target_path="./recovered", options=options)
scanner.run()

🛡️ Security & Ethics

This tool is designed for forensic professionals, incident responders, and authorized auditors. Unauthorized use of this tool for accessing data on systems you do not own or have explicit permission to test is a violation of law and ethics. Use responsibly.

📄 License

Distributed under the MIT License. See LICENSE for more information.

Developed with ❤️ by Ismail Tasdelen

About

Professional Windows Volume Shadow Copy (VSS) Analysis & Data Recovery Toolkit

Topics

forensics forensic-analysis shadow-copy forensics-tools vss-data

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages