ShadowMap is a utility for mapping Windows volume shadow copies, allowing them to be queried and compared.
Volume shadow copies are created by Windows automatically to allow backups to previous versions of files.
They are very useful for backups and forensic examination.
It works by:
Mounting all shadow copies:
Running the tool ftimes to create detailed maps of specified locations (shadow copy volumes, folders, original volumes);
Importing these maps into a SQLLite database for fast and detailed querying;
Running ftimes for comparison.