ShadowKit is a tool to aid in the recovery of Windows Volume Shadow Copy files in Windows7.  The pain and time involved in recovering shadow copy files made it clear a better way was needed. A lot of hard work and testing has gone in to making this tool. I hope you like it.

Project Goals
  • Improve the coverage of shadow copy recovery.
  • Cut the time and cost of recovering shadow copies.
  • Add more value for the client.

  • Extract what you want with a user friendly interface
  • No need to create a virtual machine of an acquired Win7 image to extract Shadow Copies
  • No need to do hacks like mklink+robocopy to extract Shadow Copies

*Microsoft .Net 4.0 Framework
*Administrator privileges


Download ShadowKit

"Standard" is free and will remain free. Value add features will likely be bundled in to a non free version in the future.

I have tested on Windows7 x64. As a new tool I hope you will send bug reports and check ShadowKit against your current tools/process and send me feedback! Thanks

Hundreds of hours of research, tinkering, coding and various articles have made it possible to create this tool. I hope to add more links in short order.
*Some write-ups on the Windows Incident Response blog stoked my interest and started my journey to find a better way to get at shadows.
*ShadowExplorer showed it could be done. I just wanted to make an interface tailored for forensics with more features.
*MSDN is a great resource.