The Volume Shadow Copy Service is a backup infrastructure provided by Windows that creates point-in-time copies of a volume. Windows Vista and later versions use the service instead of the earlier restore point feature. Whereas the restore-point feature logically copies and stores specified files, Volume Shadow copies and stores only data that change in the volume. In a live system, Volume Shadow copies can be checked and recovered through commands provided by the system, but it is difficult to analyze files stored in the Volume Shadow copies of a dead system, such as a disk image, because only changed data are stored. Hence, this study analyzed the structure of Volume Shadow Copy files that are logically stored. This analysis confirmed the locations of changed data and original copies by identifying a structure that stores the file data stream to file system metadata. On the basis of our research, we propose a practical application by developing tools that enable recovery of snapshot data stored within Volume Shadow Copy files; we also present a successful case study.