| Column Name | Description | | :--- | :--- | | | Unique GUID for the snapshot. | | ShadowCopyVolume | The drive letter of the snapshot (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 ). | | CreationTime | When the snapshot was taken (UTC). Critical for timeline reconstruction. | | OriginMachine | The computer name where the snapshot originated. | | FileReferenceNumber | The MFT reference number (unique identifier for the file within the volume). | | FileName | The name of the file/folder. | | FullPath | The absolute path inside the shadow copy. | | SI_Created, SI_Modified, SI_Changed, SI_Accessed | Standard Information timestamps. | | FN_Created, FN_Modified, FN_Changed, FN_Accessed | File Name timestamps (often more reliable than SI). | | FileSize | Size in bytes. | | IsDeleted | Flag indicating if the file is present in the current filesystem but exists in the shadow. |
Enter .
Whether you are a forensic analyst hunting for malware, an IT admin recovering a lost file, or a compliance officer auditing user activity, mastering Z ShadowInfo is no longer optional—it is essential. z shadowinfo
Eric Zimmerman’s ShadowInfo tool is a command-line utility designed to parse Volume Shadow Copy snapshots from a live system or a forensic image. The "Z" in unofficially acknowledges Zimmerman’s contribution to the field. Thus, Z ShadowInfo is the intersection of Zimmerman's parsing methodology and Shadow Copy intelligence . | Column Name | Description | | :---