Incident Response with EZTools - VSCMount
VSCmount is bundled with EZTools. This tool can be used to mount all VSCs on a drive letter to a given mount point.
Volume Shadow Copy (VSC) is a feature in Windows that allows the system to take a snapshot or backup of your files, volumes, etc.
From an incident response perspective, we may want to gather or recover evidence of a deleted file and compare the system to its previous state before the detection happened.
VSCMount.exe command line option and arguments
We can look for information about our Volume Shadow Copy in the following Registry paths:
HKLM\SYSTEM\CurrentControlSet\Services\VSS
HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore