Daily Blog #353: Volume Shadow deletion event IDs

Volume Shadow deletion event IDs by David Cowen - Hacking Exposed Computer Forensics Blog


Hello Reader,
          Ever look at a image that had Volume Shadow Copies and wonder if the volume shadow copies were deleted by the system or turned off by the user? In that case check out Event ID 33 in the System log and the source of volsnap. You'll see a message similar to this:
The oldest shadow copy of volume C: was deleted to keep disk space usage for shadow copies of volume C: below the user defined limit.

Here is a screenshot below showing the event in Event Viewer:

Volume Shadow deletion event IDs by David Cowen - Hacking Exposed Computer Forensics Blog  
You'll see this for each volume shadow copy that was deleted by the system with a timestamp of when it occurred. On my personal system this goes back a year.

Also Read: Daily Blog #352

Post a Comment