Volume Shadow Copy Question

(I can't remember who to credit for this (Harlan?))

If you mount the drive you could try running the following command. It should create links to the different shadow copies on the volume

for /f "tokens=4" %f in ('vssadmin list shadows ^|findstr GLOBALROOT') do @for /f "tokens=4 delims=\" %g in ("%f") do @mklink /d %SYSTEMDRIVE%\%g %f\

After running the command, you will be able to use FTK Imager (or your tool of choice) to see/seize all the shadow copies on the volume.

Shadow Copy works by making a block-level copy of any changes that have occurred to files since the last shadow copy. Only the changes to the files are copied, not the entire file. The files containing the changes are typically kept in the \\?\System Volume Information\ folder.

If you delete the original file, you should still be able to access a full copy via the shadow copy links. I've done this on a 2008 server - deleted files are still available.

Interesting. Then the reason I am not seeing files that I knew were there at some point in time must be because they were quick to delete them, less than a day.

http//www.qccis.com/root/resources/whitepapers

There is a great paper here from James Crabtree and Gary Evans at QCC.
This helped me out a lot when I first started looking at VSS.

The only tool that I've found that can mount images in an appropriate way to allow them to be accessed by the vss admin on the local machine is EnCase PDE - i'd be interested to know if anyone has found any other tools that work with the methods described in this paper.

A couple of things could account for the file not showing up in the volume shadow copies. If the file was deleted before the oldest VSC was created then the file may not be in any VSCs. Another option is because the file or its location is in a place that isn't included in the VSC service. The QCC Information Security whitepaper discusses the registry key which lists excluded files. The last option you already mentioned which is the file was created and deleted before a VSC was created.

I've been putzing around, and I can't find anyone with better analysis techniques besides mounting and using shadow explorer (I know you can image it, but due to a problem with my machine, I can't). Isn't there any tools that allow better analysis than Shadow Explorer?

A technique I've been having success with is mounting the image, creating hard links to VSCs of interest, and then parsing the data stored in the VSCs. The approach avoids the time needed to image each VSCs and its faster then using robocopy to copy the data out.

I use Encase's PDE to mount the image but Harlan put together a post showing how to mount an image using free tools.

http//windowsir.blogspot.com/2011/09/howto-mount-and-access-vscs.html

Once mounted I use the mklink command to create hard links to each VSC. I put together a batch script to automate this to avoid having to keep running the same command.

http//journeyintoir.blogspot.com/2011/04/little-help-with-volume-shadow-copies.html

At this point any commandline tool can be executed against the hard links which in turn executes against the data stored in the VSC. For certain information this is the best method for analyzing VSCs I found so far. I even put together a script that lets me perform a range of examination steps against different artifacts in each VSC.

Rob Lee discussed another method for analyzing VSCs by running the sleuthkit directly against the VSCs (no need to create hard links). The only tools I've come across that works in this manner are the Sleuthkit and the Windows copy command. Here is his write-up

http//computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows

hth

Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com

I recently wrote some software which is predominantly GUI for the mounting and imaging of VSC. The symbolic link can be mounted as a network share or actual symbolic link. The imaging is done through George Gartner's FAU. You can find the software ( Cliff ) on Page OS6 on my site www.ash368.com. Please read the instructions before you use the software on the first occasion.

Allan S Hay

I guess I should have joined Forensic Focus some years ago. I've finally gotten round to it D

Just wanted to say thanks for the VSS white paper feedback. The procedure has been tweaked slightly since it was written.

In practice it becomes a bit of a pain when the hard links are named 'rp1' or 'ShadowCopy1'. Every time you repeat the exercise the same shadow copies are allocated a different number - this makes it difficult to keep track of which shadow copy data you are dealing with.

The revised process creates the hard links named after the created date of the shadow copy.

Gary.

Just wanted to say thanks for the VSS white paper feedback. The procedure has been tweaked slightly since it was written.

Thanks for sharing and putting it out there, this literally helped make a couple of cases I was working on at the time !

Also, I've been putzing around, and I can't find anyone with better analysis techniques besides mounting and using shadow explorer (I know you can image it, but due to a problem with my machine, I can't).

I started my blog series on another approach to examining VSCs. The technique involves parsing the data while it is still inside the VSC. The first post can be found here

http//journeyintoir.blogspot.com/2012/01/ripping-volume-shadow-copies.html

Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com

ILooKIX will breakdown volume shadow copies either in full or differential and show you the contents within its regular filesystem browser. You can do everything to the contents just as if they were standard files; hash, index, eliminate, search, copy out, etc.