VSCExplorer is a professional-grade forensic analysis tool that automates the discovery and exploration of Volume Shadow Copies (VSCs) from .E01 or dd disk images. Built with forensic professionals and cybercrime investigators in mind, this tool provides a clean and intuitive PyQt-based GUI to:
- 🔍 Detect all available Volume Shadow Snapshots within an image
- 📂 Mount and browse each VSC independently
- 🕰️ Recover deleted or historical files with timestamp preservation
- 📊 Perform timeline and artifact analysis over time-based snapshots
- 💾 Export evidence while maintaining forensic integrity
Supports Even Bitlocker Encrypted Images
-
🔍 VSC Detection & Enumeration even for BitLocker Encrypted Images
- Automatic discovery of all available Volume Shadow Snapshots
- Detailed metadata extraction (creation time, size, VSC ID)
- Support for multiple VSCs within single E01 image
-
📂 Interactive File Browser
- Tree-view navigation through VSC contents
- File and folder properties display
- Search and filter capabilities
- Thumbnail preview for supported file types
-
💾 Evidence Export
- Selective file and folder extraction
- Maintain original timestamps and metadata
- Generate hash verification for exported files
- Batch export capabilities
*There's a compatibility issue with Python 3.12. Please install Python 3.11 from the official Python website: https://www.python.org/downloads/release/python-3110/
If you don't have Microsoft C++ Build Tools installed, you'll need to install them to compile required packages like libewf-python and pytsk3.
*If you encounter this error while installing dependencies:
"Microsoft Visual C++ 14.0 or greater is required"
It means your C++ Build Tools are missing or outdated.
Please follow the steps below to install the latest version of "C++ Build Tools".Step 1: Download and Install Microsoft C++ Build Tools - https://visualstudio.microsoft.com/visual-cpp-build-tools/ During the installation, make sure to select the following workloads:
- Desktop development with C++
- C++ build tools
pytsk3==20250729
libewf-python==20240506
libbde-python==20240502
dfvfs
git clone https://github.com/sujayadkesar/vscexplorer.git
cd vscexplorer
pip install -r requirements.txt
python vscexplorer.py- Joachim Metz
For essential forensic libraries such as libewf and libbde.
These libraries form the foundation for E01, BitLocker, and other image handling capabilities in VSCExplorer.
Additionally i want to special mention Akhil Dara for the major contribution supporting bitlocker encyrption and is the key diffrentiator in the volume shadow copy explorer.