vshadowinfo is part of the libvshadow and can be installed with apt-get install. It let’s you view and mount the volume shadow copies of an EWF image. You might want to use the SIFT workstation from SANS, as it comes with all of the needed folders pre-made.
To see how many copies exists, run this:
This assumes you’ve already mounted the E01 file as a device under /mnt/ewf_mount/
To mount the raw images, use vshadowmount:
vshadowmount /mnt/ewf_mount/ewf1 /mnt/vss & cd /mnt/vss && for i in vss* ; do mountwin $i /mnt/shadow_mount/$i ; done
After that, cd into /mnt/shadow_mount and browse the mounted copies. This gives you a glimpse into the system at the time of the cloning, and can help you recover deleted files or configurations and credentials that were changed as part of a breach.