What is it?

This is a method of creating backups of files in the system. This is done through the Volume Shadow Copy Service (VSS).
This is located in the "C:\System Volume Information".

How is it used?

Allows for previous versions of files to be seen. Shadow copies can show how a file was altered/modified.
This can also be used to see old registry keys, making it possible to see how keys were changed.
The volume shadow copy is a differential copy, making it only save files which are new, modified, deleted, or encrypted.

Where to / how to find it:

Utilizing FTK Imager, it is possible to access this by viewing "C:\System Volume Information"
in the Registry, the key "SYSTEM\CurrentControlSet\Contreol\BackupRestore

How to collect data from it:

No Special Tool Method (Slow and Not Recommended):

When utilizing the local Windows functions, the following command can be done: set shadowX=\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX where X is the version of Volume Shadow Copy for /R %shadowX%\ %i in (*) do echo %i >> "C:\shadowX.txt" To copy all the data of the shadowcopy into a file. Utilize WinMerge to compare the shadow copies together to see differences.

ShadowExplorer

This tool is simple, it just requires an install and choosing the drive one wishes to obtain the VSC info from.
If there is an imagine like an EO1, use Arsenal Image Mounter on Temp-Write mode to use to tool.