I’ve recently added an important functionality that has been missing from VSC Toolset: the ability to systematically extract files from shadow copies. You can now do this with VSC Toolset either by utilizing the “Copy” command from the main window or via browsing the directory structure of a shadow copy and utilizing the context menu option.
When browsing an individual shadow copy, you can easily verify the location of the files or folders you wish to copy and extract them accordingly. To extract files in this manner, simply navigate to the folder of interest, highlight the files or folders you wish to extract, and select “Copy” from the right-click context menu. You will be prompted to select a location to save the data, then a small status window will appear while the data is being extracted (see screenshot below). The downside to this approach is that you must copy the files of interest from each shadow copy individually. To alleviate this problem, the option to copy a selected file or folder from multiple shadow copies in a single operation is available from the main window of VSC Toolset.
|Copying Files via VSC Browser Context Menu
By utilizing the Copy command from the main VSC Toolset window, you can extract a file or folder from multiple shadow copies in a batch processing manner. It’s as simple as selecting the shadow copies from which to extract the file or folder, inputting the path (or browsing to it using the Browse button), and clicking the Run Command button. It’s important that the path to the file or folder of interest be the full path on the drive containing the VSCs. For example, if the image containing the shadow copies is mounted as the H: drive, the path to the file/folder to copy should be something like H:foldersubfolderfile.txt. VSC Toolset will then use the batch files associated with the copy operation to copy the specified file or folder from all selected shadow copies. The extracted files will be stored in the “VSCToolset_OutputExtractedFiles” folder (the location of which may be changed under Tools –> Options).
|Copying Files from VSC Toolset Main Window
All copy operations issued with VSC Toolset are simply passing parameters to a robocopy batch file that resides in the VSC Toolset “batch” folder. Robocopy is a powerful copying utility and is a standard feature of Windows Vista and above. For information on Robocopy options, check out this Microsoft article. With VSC Toolset copy operations, the /COPYALL flag is passed for file and folder copies to copy all file information (including time stamps). Additionally, the /E flag is passed during folder copy operations to include empty subdirectories. These options can of course be modified by changing the respective batch files within the “batch” folder used by VSC Toolset. CopyFile.cmd and CopyFolder.cmd are the batch scripts used to issue the robocopy commands for file and folder copying, respectively. The robocopy log, which can also be customized by modifying the batch files, is saved in the “VSCToolset_OutputRobocopyLogs” directory that is created by VSC Toolset upon issuing a copy operation.
A couple of other improvements have been made as well, including adding multiple threads for processing. By making VSC Toolset a multi-threaded application, the user interface remains responsive even when running time-consuming operations such as Diff or a large copy operation. This allows you to immediately start a process such as running Diff against a couple of shadow copies and then running a RegRipper plugin or profile against one or more shadow copies while Diff is still executing in the background.
You can download the latest version of VSC Toolset here.
For tips on setting up and using VSC Toolset, check out this blog post. To get the most out of the program, you’ll need the accompanying tools below. Also, keep in mind that with the exception of RegRipper, all accompanying executable files and scripts should be stored in the same directory as the VSC Toolset executable in order for the program to see them.
- ActiveState Perl
- jl.pl script (available in the wfa3e files)
- lslnk-directory-parse2.pl script (download from the Win4n6 group under FilesTools)
- diff.exe (included with the UnxUtils package)
- Microsoft Log Parser
Feedback, suggestions, and bug reports are always welcome and appreciated.