shadow forensics print

20
SHADOW FORENSICS Forensics on Windows Volume Shadow Copies Yogesh Khatri

Upload: nu-the-open-security-community

Post on 12-Jul-2015

4.953 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Shadow forensics print

SHADOW FORENSICS Forensics on Windows Volume Shadow

Copies

Yogesh Khatri

Page 2: Shadow forensics print

Volume Shadow Copy (VSC) in use

• VSC Enables the

‘Previous Versions’

functionality in Windows 7

• Similar functionality called

‘File History’ is used in

Windows 8

Page 3: Shadow forensics print

System Restore uses VSC

Page 4: Shadow forensics print

VSC

• Uses

• Previous Versions/File History functionality

• Create System Restore Points

• Backup API for taking ‘Snapshots’ of files/folders/disk

• Used by Windows Backup, Hyper-V, Virtual Server, Active Directory,

SQL Server, Exchange Server & SharePoint

• Used by backup software & AV for reading locked (in-use) files

• Implementation

• Only for NTFS volumes

• Volume ShadowCopy Service (VSS)

• Included in Windows 2003 onwards including Windows 8

• Not enabled by default on Windows 2008 or 2008 R2

Page 5: Shadow forensics print

Location of Backups/Restore Points

• Default

• <Drive Letter>:\System Volume Information

• Applications can use API to write to any location

Page 6: Shadow forensics print

Volume Shadow Copy

• C:\System Volume Information

Figure: ‘C:\System Volume Information’ Folder viewed in Encase 6

Page 7: Shadow forensics print

Forensic Importance

• Shadow copies are the source data for Restore Points

and the Restore Previous Versions features

• Shadow copies provide a “snapshot” of a volume at a

particular time

• Shadow copies can show how files have been

altered/modified

• Shadow copies can retain data that has subsequently

been deleted, wiped, or encrypted

Page 8: Shadow forensics print

However...

Volume shadow copies DO NOT contain a complete image

of everything that was on the volume at the time the

shadow copy was made!

Figure: Settings for VSC located in Registry at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore

Page 9: Shadow forensics print

Basic Technical Details

• Volume shadow copies are bit level differential backups of

a volume

• NOT File level backups

• Scheme

• 16 KB blocks

• Copy on write

• Volume Shadow copy files are “difference” files

Disk

Volume

File

Driv

er S

tac

k

Page 10: Shadow forensics print

6 6 1 2 3

Copy-on-write illustration

0 1 2 3 4 5 6

Amit.pdf

36 KB

Flier.PPT

10 KB

16 KB Info.txt

32 KB

Operations

1. Edit & save Info.txt

2. Delete Amit.pdf

Resulting VSC file has copies of only modified

blocks

Raw Disk blocks

3. Edit & save Info.txt

Page 11: Shadow forensics print

Recreating the volume in time

• VSC by itself does not have all data

• Only modified blocks are saved

• Need volume itself to recreate complete disk

6 1 2 3

0 1 2 3 4 5 6 Volume

(NOW)

VSC

data

0 1 2 3 4 5 6 Volume

(before all

operations)

6

Page 12: Shadow forensics print

VSC File Format

HEADER CATALOG DATA STORES

File Description

{3808876b-c176-4e48-b7ae-04046e6cc752}

Catalog only

{GUID}{3808876b-c176-4e48-b7ae-04046e6cc752}

Catalog and data

Contains VSS

identifier and

Catalog offset

Contains Shadow copy

GUIDS, creation times,

store offsets, etc..

Contains details of shadow copy

providers, host machine info,

volume bitmaps and the associated

data

Page 13: Shadow forensics print

Browsing local shadow copies

Page 14: Shadow forensics print

Listing local Shadow copies

• Use the ‘vssadmin’ tool

Page 15: Shadow forensics print

List files in shadow copy

• Commands: vssadmin list shadows

set shadow=\\?\GLOBALROOT\Device\Harddiskvolumeshadowcopyxx

for /R %shadow%\ %i in (*) do echo %i

Or

for /R %shadow%\ %i in (*) do echo %i>>"C:\shadow.txt"

Page 16: Shadow forensics print

Investigate Shadow Copies from another

disk • Commercial software

• Use Encase Physical Disk Emulator and manual approach using

command line / PowerShell

• X-ways Forensic (XWF)

• Shadow Scanner from EKL

• Reconnoitre from Sanderson Forensics

• ProDiscover

Page 17: Shadow forensics print

Investigate Shadow Copies from another

disk • FREEWARE approach 1

• Use FTK Imager to mount your evidence disk as a physical device

• Add the mounted disk as a new Hard Disk to an existing Windows

7 Virtual Machine (VM) in VMware Player (or VirtualBox)

• Boot VM, now vssadmin should be able to see the snapshots

• Use manual approach to list / parse / copy out

• FREEWARE approach 2

• Use Joachim Metz’s libvshadow project

(https://code.google.com/p/libvshadow/)

• Mounts your shadow copies in a linux enviroment

Page 18: Shadow forensics print

FTK Imager + VMware

FTK Imager Mount Settings

VM settings (added new Hard

Disk)

Page 19: Shadow forensics print

Questions

Thanks for listening!

More forensic articles, tips and scripts on my blog – www.swiftforensics.com

Yogesh Khatri

Director, Training & Services

W.H.S.

[email protected]

[email protected]

Page 20: Shadow forensics print

References

• libvshadow (https://code.google.com/p/libvshadow/)

• Volume Shadow Copy Service on MSDN

(http://msdn.microsoft.com/en-

us/library/windows/desktop/bb968832(v=vs.85).aspx)

• Harlan Carvey’s blog (http://windowsir.blogspot.com)