Shadow copy - Paiet/FOR---Operating-System-Forensics GitHub Wiki
volume shadow copy
- saves the state of the file in the volume
- can go back to previous state where files where in the system encrypted files can go to the previous version and read
- even malware can delete but it keeps files in regestry hkey
- is activated by default
win 7
win 8