Tuesday, February 18, 2014

Daily Blog #240: Arsenal Image Mounter and Shadowkit

Hello Reader,
            Often times I'm on a system that I want to access volume shadows on and it runs Windows and I haven't compiled libvshadow on it. So I switch over to the next best thing, Shadowkit and Arsenal Image Mounter.

If you haven't used Arsenal Image Mounter its pretty great, first its free to use. You can download it here: http://arsenalrecon.com/apps/image-mounter/ Second it mounts the images as iSCSI devices which means Windows will see them as locally attached physical disks. It supports raw, multipart raw, s01 and e01 images so its really useful.

Second I grab the latest version of Shadow Kit to pull in the volume shadows and then start exporting the data I need. I like Shadow Kit not only because David Dym who works in our lab wrote it but also because it will exclude all my local shadows and just show me the shadows for the images I have connected identified by hostname. This is very useful and allows me to quickly go through pulling out the data I need. You can grab shadowkit here : http://www.easymetadata.com/wp/?page_id=63

Now this method isn't perfect, it won't get you access to all the hidden system files as Shadow kit uses the Windows API, but when you need access to underlying shadow data without a lot of time and compilation it does the job!