Folders of Interest

Shadow Volume Copies

Actors will attempt to delete backups with vssadmin when deploying ransomware.

• C:\System Volume

Workstation Log Files

Find Windows Event IDs in this folder.

• C:\Windows\System32\winevt\Logs