shadow forensics print
TRANSCRIPT
![Page 1: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/1.jpg)
SHADOW FORENSICS Forensics on Windows Volume Shadow
Copies
Yogesh Khatri
![Page 2: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/2.jpg)
Volume Shadow Copy (VSC) in use
• VSC Enables the
‘Previous Versions’
functionality in Windows 7
• Similar functionality called
‘File History’ is used in
Windows 8
![Page 3: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/3.jpg)
System Restore uses VSC
![Page 4: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/4.jpg)
VSC
• Uses
• Previous Versions/File History functionality
• Create System Restore Points
• Backup API for taking ‘Snapshots’ of files/folders/disk
• Used by Windows Backup, Hyper-V, Virtual Server, Active Directory,
SQL Server, Exchange Server & SharePoint
• Used by backup software & AV for reading locked (in-use) files
• Implementation
• Only for NTFS volumes
• Volume ShadowCopy Service (VSS)
• Included in Windows 2003 onwards including Windows 8
• Not enabled by default on Windows 2008 or 2008 R2
![Page 5: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/5.jpg)
Location of Backups/Restore Points
• Default
• <Drive Letter>:\System Volume Information
• Applications can use API to write to any location
![Page 6: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/6.jpg)
Volume Shadow Copy
• C:\System Volume Information
Figure: ‘C:\System Volume Information’ Folder viewed in Encase 6
![Page 7: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/7.jpg)
Forensic Importance
• Shadow copies are the source data for Restore Points
and the Restore Previous Versions features
• Shadow copies provide a “snapshot” of a volume at a
particular time
• Shadow copies can show how files have been
altered/modified
• Shadow copies can retain data that has subsequently
been deleted, wiped, or encrypted
![Page 8: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/8.jpg)
However...
Volume shadow copies DO NOT contain a complete image
of everything that was on the volume at the time the
shadow copy was made!
Figure: Settings for VSC located in Registry at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore
![Page 9: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/9.jpg)
Basic Technical Details
• Volume shadow copies are bit level differential backups of
a volume
• NOT File level backups
• Scheme
• 16 KB blocks
• Copy on write
• Volume Shadow copy files are “difference” files
Disk
Volume
File
Driv
er S
tac
k
![Page 10: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/10.jpg)
6 6 1 2 3
Copy-on-write illustration
0 1 2 3 4 5 6
Amit.pdf
36 KB
Flier.PPT
10 KB
16 KB Info.txt
32 KB
Operations
1. Edit & save Info.txt
2. Delete Amit.pdf
Resulting VSC file has copies of only modified
blocks
Raw Disk blocks
3. Edit & save Info.txt
![Page 11: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/11.jpg)
Recreating the volume in time
• VSC by itself does not have all data
• Only modified blocks are saved
• Need volume itself to recreate complete disk
6 1 2 3
0 1 2 3 4 5 6 Volume
(NOW)
VSC
data
0 1 2 3 4 5 6 Volume
(before all
operations)
6
![Page 12: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/12.jpg)
VSC File Format
HEADER CATALOG DATA STORES
File Description
{3808876b-c176-4e48-b7ae-04046e6cc752}
Catalog only
{GUID}{3808876b-c176-4e48-b7ae-04046e6cc752}
Catalog and data
Contains VSS
identifier and
Catalog offset
Contains Shadow copy
GUIDS, creation times,
store offsets, etc..
Contains details of shadow copy
providers, host machine info,
volume bitmaps and the associated
data
![Page 13: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/13.jpg)
Browsing local shadow copies
![Page 14: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/14.jpg)
Listing local Shadow copies
• Use the ‘vssadmin’ tool
![Page 15: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/15.jpg)
List files in shadow copy
• Commands: vssadmin list shadows
set shadow=\\?\GLOBALROOT\Device\Harddiskvolumeshadowcopyxx
for /R %shadow%\ %i in (*) do echo %i
Or
for /R %shadow%\ %i in (*) do echo %i>>"C:\shadow.txt"
![Page 16: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/16.jpg)
Investigate Shadow Copies from another
disk • Commercial software
• Use Encase Physical Disk Emulator and manual approach using
command line / PowerShell
• X-ways Forensic (XWF)
• Shadow Scanner from EKL
• Reconnoitre from Sanderson Forensics
• ProDiscover
![Page 17: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/17.jpg)
Investigate Shadow Copies from another
disk • FREEWARE approach 1
• Use FTK Imager to mount your evidence disk as a physical device
• Add the mounted disk as a new Hard Disk to an existing Windows
7 Virtual Machine (VM) in VMware Player (or VirtualBox)
• Boot VM, now vssadmin should be able to see the snapshots
• Use manual approach to list / parse / copy out
• FREEWARE approach 2
• Use Joachim Metz’s libvshadow project
(https://code.google.com/p/libvshadow/)
• Mounts your shadow copies in a linux enviroment
![Page 18: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/18.jpg)
FTK Imager + VMware
FTK Imager Mount Settings
VM settings (added new Hard
Disk)
![Page 19: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/19.jpg)
Questions
Thanks for listening!
More forensic articles, tips and scripts on my blog – www.swiftforensics.com
Yogesh Khatri
Director, Training & Services
W.H.S.
![Page 20: Shadow forensics print](https://reader030.vdocuments.net/reader030/viewer/2022032615/55a25e6b1a28abe1718b458b/html5/thumbnails/20.jpg)
References
• libvshadow (https://code.google.com/p/libvshadow/)
• Volume Shadow Copy Service on MSDN
(http://msdn.microsoft.com/en-
us/library/windows/desktop/bb968832(v=vs.85).aspx)
• Harlan Carvey’s blog (http://windowsir.blogspot.com)