Introduction:
In the realm of digital forensics, gaining insights into the changes made to files and volumes over time can be critical for uncovering evidence and understanding system activity. One powerful tool in this endeavor is Volume Shadow Copy (VSC), a feature found in modern Windows operating systems such as Windows Vista, Windows 7, Windows 8, and Windows 2008.
Understanding Volume Shadow Copies:
Volume Shadow Copies are a feature of the Windows operating system that allows users to create snapshots, or copies, of files and folders at different points in time. These snapshots are created by the Volume Shadow Copy Service (VSS) and can be used to restore files to previous versions in the event of data loss or corruption. While VSCs were initially introduced with Windows XP and System Restore points, they evolved into a more robust feature with Vista and Server 2008, providing persistent snapshots of the entire volume.
Recovering Cleared Data:
One of the key advantages of Volume Shadow Copies is their ability to recover data that has been deleted or modified, even if it has been wiped by attackers. By examining historical artifacts from earlier snapshots, forensic analysts can uncover evidence of malicious activities that may have been hidden or erased. This includes recovering deleted executables, DLLs, drivers, registry files, and even encrypted or wiped files.
Tools for Analyzing Volume Shadow Copy:
VSC-Toolset
Magnet Forensics(if still available)
Creating Volume Shadow Copies:
Volume Shadow Copies can be created using various methods, including System Snapshot, Software Installation, and Manual Snapshot. System snapshots are scheduled to occur every 24 hours on Windows Vista and every 7 days on Windows 7, although the timing may vary based on system activity.
To obtain a list of the shadows execute:
Step 1: Open Command Prompt Begin by opening Command Prompt with administrative privileges.
Step 2: Execute vssadmin Command In the Command Prompt window, type the following command:
vssadmin list shadows /for=C:Replace "C:" with the drive letter for which you want to list the available shadow copies.
Step 3: Review the Output . Here are some key things to notice in the output:
1. Shadow Copy Volume Name:
• The name of the shadow copy volume is crucial for examining the contents of that specific volume.
2. Originating Machine:
• If you have plugged in an NTFS drive from another shadow copy-enabled machine, the originating machine's name will be listed.
3. Creation Time:
• Pay attention to the system time of the creation time . This timestamp indicates when the snapshot was created, helping you identify which shadow copy volume might contain the data you're interested in.
Leveraging Symbolic Links to Explore Shadow Copy Volumes:
Administrators can utilize symbolic links to navigate and scan directories containing shadow copy volumes. This method provides a convenient way to access previous versions of files and directories directly from a live machine.
Step 1: Open an Administrator Command Prompt Start by opening a Command \
Step 2: Select a Shadow Copy Volume Refer to the output of the vssadmin command to identify the shadow copy volume you want to examine. Choose a volume based on the date and time of the snapshot you're interested in.
In my example: When I use command vssadmin list shadows /for=C:
I found 3 shadow copies But I am going to use 3rd one
Step 3: Create a Symbolic Link In the Command Prompt window, execute the following command
C:\> mklink /d C:\shadow_copy3 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
Replace "C:\shadow_copy3" with the directory path where you want to create the symbolic link. Ensure to include the trailing backslash in the command
Step 4: Access the Shadow Copy Volume Once the symbolic link is created, you can navigate to the specified directory (e.g., C:\shadow_copy3) using File Explorer or the Command Prompt. This directory now points to the selected shadow copy volume, allowing you to browse its contents as if it were a regular directory on your system.
Step 5: Retrieve Files or Directories Utilize the symbolic link to access previous versions of files and directories stored in the shadow copy volume. This capability is particularly valuable for recovering files that may have been deleted, overwritten, or corrupted on the live system.
Examine/Extracting Volume Shadow data using ShadowExplorer:
Step 1: Mount the disk image in Arsenal Image Mounter in "Write Temporary" mode. Arsenal Image Mounter is necessary because FTK Imager's mount capability does not expose the Volume Shadow Copies (VSCs) to the underlying operating system.
Open Arsenal Image Mounter--> click on mount image--> Select image--> OpenWrite temporary --> Okay
Step 2: Launch ShadowExplorer as Administrator. It's important to run ShadowExplorer with administrator privileges to ensure that it can parse all the files and folders available to the analyst.
Step 3: Browse Snapshots. ShadowExplorer provides a familiar Windows Explorer-like interface, making it easy to navigate through the available snapshots. You can browse the snapshots just like you would in Windows Explorer.
Step 4: Extract Files. To extract files of interest, simply right-click on the file or folder you want to extract and select "Export." This will allow you to save the selected files or folders to a location of your choice on your system.
Challenges and Considerations:
While Volume Shadow Copies are a powerful tool for forensic analysis, there are some limitations and considerations to keep in mind. For example, the introduction of ScopeSnapshots in Windows 8 can impact the forensic usefulness of VSCs by limiting the scope of volume snapshots to files relevant for system restore only. However, this feature can be disabled through registry settings on client systems, allowing forensic analysts to access more complete volume backups.
Conclusion:
Volume Shadow Copies provide forensic analysts with a valuable resource for recovering deleted or modified data and uncovering evidence of malicious activities on compromised systems. By understanding how VSCs work and overcoming challenges such as ScopeSnapshots, forensic analysts can enhance their capabilities and improve their ability to conduct thorough investigations.
Comments