Carves and recreates VSS catalog and store from Windows disk image.
- Python 3.7+ (I tested on Python 3.7.6)
- libvshadow (It has to be patched to support vss_carver)
- pyewf
- pyvmdk
- High speed CPU and high speed I/O storage
- Carves and recreates VSS catalog and store
vss_carver.py -t <disk_image_type> -o <volume_offset_in_bytes> -i <disk_image> -c <catalog_file> -s <store_file>- (Optional) Manipulates VSS catalog entries
vss_catalog_manipulator.py {list,move,remove,enable,disable} (see more details with "-h")- Mounts VSS snapshots with the use of extended vshadowmount (You can get pre-compiled vshadowmount from here)
vshadowmount -o <volume_offset_in_bytes> -c <catalog_file> -s <store_file> <disk_image> <mount_point>git clone https://github.com/mnrkbys/vss_carver.gitI am offering pre-compiled libyal libraries on precompiled_libyal_libs repository. I recommend using them.
Yogesh also is offering pre-compiled pyewf and pyvmdk in his mac_apt repository. Follow the instructions to install dependencies.
Of course, you can build them by yourself as same as Linux or macOS.
You have to compile libvshadow, libewf, and libvmdk. I'm offering patched source code on my repositories, libvshadow and libvmdk.
Do git clone them above, then follow the instructions to build libvshadow, libewf and libvmdk.